Description
Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134.
Published: 2025-01-11
Score: 6.5 Medium
EPSS: 1.1% Low
KEV: No
Impact: Address bar spoofing
Action: Apply patch
AI Analysis

Impact

Mozilla Firefox for iOS allows long hostnames in URLs to be displayed in a way that hides the true host, potentially misleading users about the site they are visiting. Based on the description, the vulnerability could be exploited to facilitate phishing or social‑engineering attacks that rely on a user's trust in the displayed address. It is an input manipulation flaw (CWE‑346) that does not give direct access or code execution but undermines user confidence and could, if a user is tricked into submitting information on a forged address, lead to credential compromise.

Affected Systems

Firefox for iOS versions prior to 134 are affected. The vulnerability was addressed in Firefox for iOS 134, so all earlier builds of Firefox for iOS should be considered at risk.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity flaw. The EPSS score of less than 1% suggests a low probability of exploitation at this time. The issue is not listed in the CISA KEV catalog. Based on the description, the likely exploitation scenario would involve a malicious site with a very long hostname designed to mislead the address bar display; the attacker would need users to visit such a site, but no further privileges or payloads are required.

Generated by OpenCVE AI on April 20, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox for iOS to version 134 or later
  • Enable automatic updates for the Firefox app to receive future security fixes
  • Verify that the browser’s privacy settings are configured to prevent address‑bar spoofing by third‑party elements

Generated by OpenCVE AI on April 20, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3123 Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134. Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134.
Title Address bar spoofing on iOS using long hostnames

Thu, 03 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*
Vendors & Products Mozilla
Mozilla firefox

Mon, 13 Jan 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Jan 2025 03:45:00 +0000

Type Values Removed Values Added
Description Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address This vulnerability affects Firefox for iOS < 134.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-20T14:30:16.952Z

Reserved: 2025-01-10T21:00:17.659Z

Link: CVE-2025-23109

cve-icon Vulnrichment

Updated: 2025-01-13T17:42:56.845Z

cve-icon NVD

Status : Modified

Published: 2025-01-11T04:15:06.367

Modified: 2026-04-13T15:16:54.600

Link: CVE-2025-23109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses