CVE-2025-0245 - Vulnerability Details

- Lock screen setting bypass in Firefox Focus for Android

Description

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability was fixed in Firefox 134.

Published: 2025-01-07

Score: 3.3 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Under certain circumstances the user opt‑in setting that requires authentication before using Firefox Focus could be bypassed, allowing the application to be accessed without its intended authentication mechanism. The weakness is classified as CWE‑288: Improper Authentication. Using the app in this way could expose private browsing sessions or location data that were meant to be protected by the lock screen setting.

Affected Systems

Mozilla Firefox Focus for Android. Versions up to but not including 134 are vulnerable. The fix is applied in Firefox 134 and later.

Risk and Exploitability

The CVSS score of 3.3 indicates a low severity issue, and the EPSS score is reported as less than 1 %, suggesting a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would presumably require the attacker to be in possession of the device and to trigger the specific circumstances that allow the authentication bypass; it is not a remote or network‑based attack. As such, the overall risk remains low.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`134`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox Focus to version 134 or later, which contains the fix for the authentication bypass.
Verify that the login‑or‑lock‑screen requirement is enabled and functional in the app’s settings after the upgrade.
Keep the application and OS up to date and monitor for any user reports of unauthorized access to the app’s features.

Generated by OpenCVE AI on April 20, 2026 at 18:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-1577	Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability affects Firefox < 134.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1895342
https://nvd.nist.gov/vuln/detail/CVE-2025-0245
https://www.cve.org/CVERecord?id=CVE-2025-0245
https://www.mozilla.org/security/advisories/mfsa2025-01/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability affects Firefox < 134.	Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability was fixed in Firefox 134.
Title	firefox: Lock screen setting bypass in Firefox Focus for Android	Lock screen setting bypass in Firefox Focus for Android

Thu, 03 Apr 2025 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mozilla:firefox::::::::
Vendors & Products		Mozilla Mozilla firefox

Thu, 09 Jan 2025 14:00:00 +0000

Type	Values Removed	Values Added
Title		firefox: Lock screen setting bypass in Firefox Focus for Android
Weaknesses		CWE-288
References		https://nvd.nist.gov/vuln/detail/CVE-2025-0245 https://www.cve.org/CVERecord?id=CVE-2025-0245
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 08 Jan 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 07 Jan 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability affects Firefox < 134.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1895342 https://www.mozilla.org/security/advisories/mfsa2025-01/

Subscriptions

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-01-07T16:07:05.265Z

Updated: 2026-04-13T14:29:55.662Z

Reserved: 2025-01-06T14:49:15.655Z

Link: CVE-2025-0245

Vulnrichment

Updated: 2025-01-08T15:44:48.935Z

NVD

Status : Modified

Published: 2025-01-07T16:15:39.167

Modified: 2026-04-13T15:16:34.837

Link: CVE-2025-0245

Redhat

Severity : Moderate

Publid Date: 2025-01-07T16:07:05Z

Links: CVE-2025-0245 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses

CWE-288
Authentication Bypass Using an Alternate Path or Channel
NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object