CVE-2025-14744 - Vulnerability Details - OpenCVE

Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1984683
https://www.mozilla.org/security/advisories/mfsa2025-97/

History

Thu, 18 Dec 2025 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 18 Dec 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description		Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.
Title		Filename spoofing via Unicode Right-to-Left Override in Firefox for iOS
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1984683 https://www.mozilla.org/security/advisories/mfsa2025-97/

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-12-18T14:21:12.328Z

Updated: 2025-12-18T19:19:42.637Z

Reserved: 2025-12-15T19:44:44.939Z

Link: CVE-2025-14744

Vulnrichment

Updated: 2025-12-18T19:12:48.892Z

NVD

Status : Received

Published: 2025-12-18T15:15:52.500

Modified: 2025-12-18T20:15:54.850

Link: CVE-2025-14744

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-451

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14744", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-12-15T19:44:44.939Z", "datePublished": "2025-12-18T14:21:12.328Z", "dateUpdated": "2025-12-18T19:19:42.637Z"}, "containers": {"cna": {"affected": [{"product": "Firefox for iOS", "vendor": "Mozilla", "versions": [{"lessThan": "144.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0."}]}], "title": "Filename spoofing via Unicode Right-to-Left Override in Firefox for iOS", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984683"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-97/"}], "credits": [{"lang": "en", "value": "Azril"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-12-18T14:21:12.328Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-18T19:12:45.595694Z", "id": "CVE-2025-14744", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T19:19:42.637Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-14744", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-18T19:12:45.595694Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-18T19:12:48.892Z"}}], "cna": {"title": "Filename spoofing via Unicode Right-to-Left Override in Firefox for iOS", "credits": [{"lang": "en", "value": "Azril"}], "affected": [{"vendor": "Mozilla", "product": "Firefox for iOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "144.0", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984683"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-97/"}], "descriptions": [{"lang": "en", "value": "Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.", "supportingMedia": [{"type": "text/html", "value": "Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability affects Firefox for iOS < 144.0.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-12-18T14:21:12.328Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14744", "state": "PUBLISHED", "dateUpdated": "2025-12-18T19:19:42.637Z", "dateReserved": "2025-12-15T19:44:44.939Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-12-18T14:21:12.328Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}