CVE-2025-1940
Published: 04 March 2025
Description
An adversary may rely upon specific actions by a user in order to gain execution.
Security Summary
CVE-2025-1940 is a user interface vulnerability affecting only Android versions of Firefox, where a select option could partially obscure the confirmation prompt displayed before launching external applications. This flaw enables tricking users into unexpectedly launching an external app. Published on 2025-03-04, it is linked to CWE-1021 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).
A remote attacker with no privileges can exploit this over the network with low attack complexity by crafting content that positions a select element to hide critical parts of the confirmation dialog. Exploitation requires user interaction, such as the victim confirming an action they do not fully perceive. Success leads to the unintended launch of an external app, resulting in high confidentiality impact and low integrity impact.
Mozilla fixed this vulnerability in Firefox 136. Mitigation details are available in the Mozilla Foundation Security Advisory MFSA 2025-14 at https://www.mozilla.org/security/advisories/mfsa2025-14/ and the related Bugzilla entry at https://bugzilla.mozilla.org/show_bug.cgi?id=1908488.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The UI flaw obscures confirmation prompts for external app launches, directly enabling adversaries to trick users into unintended execution via crafted web content.