Description
Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0.
Published: 2025-12-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File type spoofing in Firefox for iOS download UI
Action: Update Browser
AI Analysis

Impact

Firefox for iOS downloads can display misleading file names when a Unicode right‑to‑left override character is present in an URL or web page, allowing a malicious site to trick a user into saving a file of an unintended type. The consequence is that a user may unknowingly download a file that is different from what the URL indicates, potentially exposing the device to content that is misclassified by the operating system and could lead to confusion or exploitation if the file type is malicious. The flaw was addressed in Firefox for iOS 144.0.

Affected Systems

Mozilla Firefox for iOS, with all versions prior to 144.0 affected. Updating to 144.0 or newer removes the vulnerability; any older builds leave the download UI susceptible to filename spoofing via Unicode right‑to‑left override characters.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of active exploitation at this time. The vulnerability is not listed in CISA KEV. An attacker would need to host a web page or deliver content containing targeted Unicode characters, a scenario that could arise from any website with user‑generated content. The attack vector is dissemination from a malicious site and relies on the user engaging with the download interface. Given the moderate score and low exploitation likelihood, the risk is considered limited but tangible, especially for users who do not update their browser promptly.

Generated by OpenCVE AI on April 20, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Firefox for iOS 144.0 or newer to eliminate the CWE-451 file name spoofing flaw
  • If an update is not feasible, avoid downloading files from unfamiliar or untrusted sites, and always verify the actual file type after download to mitigate the CWE-451 information exposure risk
  • Use iOS file‑type alert settings or a content‑inspection app to enforce strict MIME type checks when opening downloaded files, thereby reducing the chance of CWE-451 related mishandling

Generated by OpenCVE AI on April 20, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0. Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0.

Tue, 06 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*
Vendors & Products Mozilla firefox

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Mozilla
Mozilla firefox For Ios
Vendors & Products Apple
Apple ios
Mozilla
Mozilla firefox For Ios

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.
Title Filename spoofing via Unicode Right-to-Left Override in Firefox for iOS
References

Subscriptions

Apple Ios
Mozilla Firefox Firefox For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:42.899Z

Reserved: 2025-12-15T19:44:44.939Z

Link: CVE-2025-14744

cve-icon Vulnrichment

Updated: 2025-12-18T19:12:48.892Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T15:15:52.500

Modified: 2026-04-13T15:16:47.220

Link: CVE-2025-14744

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:00:10Z

Weaknesses