CVE-2025-0244

Medium

Published: 07 January 2025

Published

07 January 2025

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0768 91.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 134.

Security Summary

CVE-2025-0244 is a vulnerability in Mozilla Firefox on Android operating systems, where redirecting to an invalid protocol scheme allows an attacker to spoof the address bar. This issue stems from CWE-601 (URL Redirection to Untrusted Site) and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact. Other operating systems are unaffected, and the vulnerability was addressed in Firefox version 134.

Remote attackers can exploit this vulnerability without authentication or user interaction by crafting a malicious redirect to an invalid protocol scheme, tricking users into believing they are visiting a different site than intended. Successful exploitation enables address bar spoofing, potentially facilitating phishing attacks by misleading users about the current webpage's origin and compromising confidentiality through deceptive navigation.

Mozilla's security advisory (MFSA 2025-01) and Bugzilla entry (ID 1929584) confirm the fix in Firefox 134, recommending users update to this version or later to mitigate the issue. No workarounds are specified in the provided references.

Details

CWE(s): CWE-601

Affected Products

mozilla

firefox

≤ 134.0

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1929584
Issue Tracking · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-01/
Vendor Advisory · security@mozilla.org