CVE-2025-1941
Published: 04 March 2025
Description
Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.
Security Summary
CVE-2025-1941 is an improper access control vulnerability (CWE-284) in Mozilla Firefox, where under certain circumstances a user opt-in setting requiring authentication before using the Focus feature could be bypassed. This issue is distinct from CVE-2025-0245 and affects the Focus component in Firefox versions prior to 136. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows bypassing the authentication requirement for Focus, enabling unauthorized access that compromises sensitive data (high confidentiality impact) and potentially modifies protected resources (high integrity impact) without disrupting availability.
Mozilla's security advisory (MFSA 2025-14) and Bugzilla entry (1944665) document the flaw and confirm it was addressed in Firefox 136. Security practitioners should advise users to update to Firefox 136 or later to mitigate the risk.
Details
- CWE(s)