HTTP/2 200
referrer-policy: strict-origin-when-cross-origin
cross-origin-opener-policy: same-origin
via: 1.1 google, 1.1 varnish, 1.1 varnish
x-backend-server: bedrock-6594f89b97-wcx9p.gcp-us-west1
strict-transport-security: max-age=31536000
content-language: en-US
expires: Sun, 05 Oct 2025 12:21:35 GMT
etag: "79a033cd6d00aeb28fead68e29638ad7"
x-frame-options: DENY
x-clacks-overhead: GNU Terry Pratchett
cache-control: max-age=600
server: granian
content-security-policy-report-only: media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; object-src 'none'; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; style-src 'self' www.mozilla.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com; default-src 'self' *.mozilla.org; font-src 'self' www.mozilla.org; frame-ancestors 'none'; upgrade-insecure-requests; base-uri 'none'
content-type: text/html; charset=utf-8
content-security-policy: media-src 'self' assets.mozilla.net videos.cdn.mozilla.net www.mozilla.org; object-src 'none'; connect-src 'self' https://accounts.firefox.com/ https://basket.mozilla.org o1069899.ingest.sentry.io o1069899.sentry.io region1.google-analytics.com www.google-analytics.com www.googletagmanager.com www.mozilla.org/submit/bedrock/; img-src 'self' blog.mozilla.org data: images.ctfassets.net www.google-analytics.com www.googletagmanager.com www.mozilla.org; style-src 'self' 'unsafe-inline' www.mozilla.org; script-src 'self' 'unsafe-eval' 'unsafe-inline' js.stripe.com s.ytimg.com tagmanager.google.com www.google-analytics.com www.googletagmanager.com www.mozilla.org www.youtube.com; form-action 'self' https://accounts.firefox.com/ https://basket.mozilla.org; frame-src 'self' accounts.firefox.com js.stripe.com www.google-analytics.com www.googletagmanager.com www.youtube.com; default-src 'self' *.mozilla.org; font-src 'self' www.mozilla.org; frame-ancestors 'none'; upgrade-insecure-requests; base-uri 'none'
x-content-type-options: nosniff
content-encoding: gzip
accept-ranges: bytes
age: 0
date: Sun, 05 Oct 2025 12:11:35 GMT
x-served-by: cache-bom-vanm7210049-BOM, cache-bom-vanm7210036-BOM
x-cache: MISS, MISS
x-cache-hits: 0, 0
x-timer: S1759666295.489215,VS0,VE441
vary: Accept-Encoding
content-length: 7357
Security Advisories for Mozilla VPN — Mozilla
Help us improve your Mozilla experience
In addition to Cookies necessary for this site to function, we’d like your permission to set some additional Cookies to better understand your browsing needs and improve your experience. Rest assured — we value your privacy.
Accept All Additional Cookies
Reject All Additional Cookies
Cookie settings
Security Advisories for Mozilla VPN
Impact key
Critical
Vulnerability can be used to run attacker code and install
software, requiring no user interaction beyond normal browsing.
High
Vulnerability can be used to gather sensitive data
from sites in other windows or inject data or code into
those sites, requiring no more than normal browsing actions.
Moderate
Vulnerabilities that would otherwise be High or Critical
except they only work in uncommon non-default configurations or
require the user to perform complicated and/or unlikely steps.
Low
Minor security vulnerabilities such as Denial of Service
attacks, minor data leaks, or spoofs. (Undetectable spoofs of
SSL indicia would have "High" impact because those are generally
used to steal sensitive data intended for other sites.)
