CVE-2025-11717 - Vulnerability Details

- The password edit screen was not hidden in Android card view

Description

When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144.

Published: 2025-10-14

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Firefox versions older than 144 displayed the password edit screen in the Android card carousel, exposing user-entered passwords to page thumbnails. The vulnerability allows the password characters to become visible when a user switches between apps, potentially leaking sensitive authentication information. The flaw is a classic data disclosure issue identified as CWE‑200.

Affected Systems

The problem affects Mozilla Firefox installations on Android devices running Firefox prior to version 144. All Android operating systems are listed as affected, reflecting the card carousel feature native to Android that renders Firefox pages as cards for app switching. No other vendors or product lines are implicated.

Risk and Exploitability

The CVSS score of 9.1 categorizes this as a high‑severity vulnerability, reflecting the privacy compromise risk it poses. The EPSS figure of less than 1 % indicates a very low likelihood of exploitation in the wild at the time of assessment, yet the lack of mitigations beyond a software update means that every user of the affected Firefox builds remains at risk. The vulnerability is not listed in the CISA KEV catalog, but its impact justifies prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`144`	unaffected	≤ *

Configuration 1 [-]

AND

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Google	Android	—	—
Mozilla	Firefox	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox to version 144 or later, which removes the card‑view disclosure bug.
If an upgrade is not immediately possible, disable the Android card‑carousel feature in Firefox settings or cease using Firefox for password input on Android until a patch is applied.
Stay informed of any new advisories by monitoring Mozilla’s security alerts and apply subsequent releases as they become available.

Generated by OpenCVE AI on April 20, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1872601
https://www.mozilla.org/security/advisories/mfsa2025-81/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability affects Firefox < 144.	When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144.

Thu, 30 Oct 2025 16:30:00 +0000

Type	Values Removed	Values Added
Title		The password edit screen was not hidden in Android card view

Wed, 15 Oct 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android Mozilla Mozilla firefox
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:o:google:android:-:::::::*
Vendors & Products		Google Google android Mozilla Mozilla firefox

Wed, 15 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Oct 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability affects Firefox < 144.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1872601 https://www.mozilla.org/security/advisories/mfsa2025-81/

Subscriptions

Google Android

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-10-14T12:27:37.569Z

Updated: 2026-04-13T14:31:18.968Z

Reserved: 2025-10-13T19:50:16.067Z

Link: CVE-2025-11717

Vulnrichment

Updated: 2025-10-15T13:20:32.059Z

NVD

Status : Modified

Published: 2025-10-14T13:15:38.033

Modified: 2026-04-13T15:16:40.930

Link: CVE-2025-11717

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T18:00:11Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object