Description
When using an invalid protocol scheme, an attacker could spoof the address bar.
*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*
*Note: This issue is a different issue from CVE-2025-0244. This vulnerability was fixed in Firefox 134.
Published: 2025-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Address Bar Spoofing
Action: Immediate Patch
AI Analysis

Impact

When a user opens a link that contains an invalid protocol scheme, Firefox for Android renders a forged address bar display, causing the user to believe they are viewing a legitimate site. The attacker can therefore present malicious content under the guise of a trusted domain, potentially leading to phishing or social‑engineering attacks. This flaw does not provide direct code execution or data exfiltration, but the deception effect can carry significant business and reputational impact.

Affected Systems

The issue affects all versions of Mozilla Firefox for Android prior to the 134 release. Operating systems other than Android are unaffected. Any Android device running an outdated Firefox installation is vulnerable until a patched version is installed.

Risk and Exploitability

The CVSS score of 6.5 describes the vulnerability as moderate, and the EPSS score of less than 1% indicates that exploitation incidents are expected to be rare. It is not listed in CISA’s KEV catalog. Attackers would typically need a user to interact with a malicious link—such as clicking text in an email, message, or webpage—containing the malformed scheme. No elevated privileges or additional system compromise are required to exploit this flaw.

Generated by OpenCVE AI on April 20, 2026 at 18:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 134 or newer on all Android devices to remove the invalid protocol handling code.
  • If a timely update is not feasible, configure device or browser policy to block unknown or unregistered protocol schemes so that malformed links cannot trigger the spoofed address bar.
  • Educate users to verify the actual domain in the address bar, especially when viewing links from untrusted sources, and rely on built‑in phishing detection tools to catch deceptive pages.

Generated by OpenCVE AI on April 20, 2026 at 18:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1578 When using an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* *Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When using an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* *Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134. When using an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* *Note: This issue is a different issue from CVE-2025-0244. This vulnerability was fixed in Firefox 134.
Title firefox: Address bar spoofing using an invalid protocol scheme on Firefox for Android Address bar spoofing using an invalid protocol scheme on Firefox for Android

Thu, 03 Apr 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Mozilla
Mozilla firefox
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google
Google android
Mozilla
Mozilla firefox

Thu, 09 Jan 2025 14:00:00 +0000

Type Values Removed Values Added
Title firefox: Address bar spoofing using an invalid protocol scheme on Firefox for Android
Weaknesses CWE-451
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 08 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Description When using an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* *Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134.
References

Subscriptions

Google Android
Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:57.530Z

Reserved: 2025-01-06T14:49:17.440Z

Link: CVE-2025-0246

cve-icon Vulnrichment

Updated: 2025-01-08T15:54:20.489Z

cve-icon NVD

Status : Modified

Published: 2025-01-07T16:15:39.260

Modified: 2026-04-13T15:16:35.003

Link: CVE-2025-0246

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-07T16:07:05Z

Links: CVE-2025-0246 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses