Description
When redirecting to an invalid protocol scheme, an attacker could spoof the address bar.
*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 134.
Published: 2025-01-07
Score: 5.3 Medium
EPSS: 7.5% Low
KEV: No
Impact: Address bar spoofing via invalid protocol scheme
Action: Patch
AI Analysis

Impact

The flaw allows a malicious web page to trigger a redirect to an invalid protocol scheme. Firefox for Android then displays the attacker‑supplied URL in the address bar, creating a visual spoof that can mislead users into believing they are on a trusted site while unknowingly interacting with malicious content. The weakness lies in improper validation of the scheme component, as identified by CWE‑451 and CWE‑601, and can jeopardize confidentiality and integrity by enabling deceptive interactions.

Affected Systems

Any installation of Mozilla Firefox running on Android devices that is older than version 134 is susceptible. The issue does not affect Firefox on other operating systems or Firefox 134 and later, which include the fix that validates the scheme before updating the UI.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of 7% reflects a modest likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation has been observed. Attackers would need to lure a user to click a crafted link or visit a malicious site; no elevated privileges are required. Because the flaw is limited to Android, the attack surface is confined to mobile users running older Firefox versions.

Generated by OpenCVE AI on April 20, 2026 at 18:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox on all Android devices to version 134 or later.
  • Ensure the Android operating system on those devices remains current so that the new browser bundle is installed automatically.
  • If an upgrade is temporarily infeasible, remove or disable any legacy Firefox installations until an update can be applied.

Generated by OpenCVE AI on April 20, 2026 at 18:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1576 When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 134.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 134. When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 134.
Title firefox: Address bar spoofing using an invalid protocol scheme on Firefox for Android Address bar spoofing using an invalid protocol scheme on Firefox for Android

Thu, 03 Apr 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Thu, 09 Jan 2025 14:00:00 +0000

Type Values Removed Values Added
Title firefox: Address bar spoofing using an invalid protocol scheme on Firefox for Android
Weaknesses CWE-451
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 08 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-601
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Description When redirecting to an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 134.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:52.692Z

Reserved: 2025-01-06T14:49:13.692Z

Link: CVE-2025-0244

cve-icon Vulnrichment

Updated: 2025-01-08T15:24:26.008Z

cve-icon NVD

Status : Modified

Published: 2025-01-07T16:15:39.073

Modified: 2026-04-13T15:16:34.657

Link: CVE-2025-0244

cve-icon Redhat

Severity : Important

Publid Date: 2025-01-07T16:07:04Z

Links: CVE-2025-0244 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses