CVE-2025-27426 - Vulnerability Details

- Firefox Mobile iOS Full Address Bar Spoof Using Server-Side Redirect to internal error page

Description

Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136.

Published: 2025-03-04

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Malicious websites can issue a server‑side redirect to an internal error page, causing the address bar to display a spoofed URL. The attacker is subsequently able to lure users into believing they are accessing a legitimate site, which could lead to credential theft or other social‑engineering attacks. The vulnerability is an open redirect (CWE‑601) and does not provide direct code execution or denial of service, but it enables phishing and deceptive UI behavior.

Affected Systems

Mozilla Firefox for iOS is affected, specifically all releases prior to version 136. The issue was addressed and fixed in Firefox for iOS 136, so any device running an older build on iPhone OS is vulnerable. Apple’s iOS platform itself is not the direct target, but the browsers on iOS devices are.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, and the EPSS is below 1%, suggesting a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically need to trick a user into visiting a malicious webpage that performs the redirect; the spoofed URL trick is visible to the user, so detection is possible but not guaranteed. Because the flaw involves a server‑side redirect, exploitation requires an attacker‑controlled website and victim browsing behavior.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox for iOS

affected

Version	Status	Constraints
`136`	unaffected	≤ *

Configuration 1 [-]

AND

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Firefox for iOS to version 136 or later via the App Store.
Enable auto‑update for the App Store to receive future security patches automatically.
Exercise caution when clicking links from untrusted sources to prevent malicious redirects.

Generated by OpenCVE AI on April 20, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7774	Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL This vulnerability affects Firefox for iOS < 136.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00322.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1933079
https://www.mozilla.org/security/advisories/mfsa2025-13/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL This vulnerability affects Firefox for iOS < 136.	Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136.
Title		Firefox Mobile iOS Full Address Bar Spoof Using Server-Side Redirect to internal error page

Thu, 03 Apr 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple iphone Os Mozilla Mozilla firefox
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:o:apple:iphone_os:-:::::::*
Vendors & Products		Apple Apple iphone Os Mozilla Mozilla firefox

Tue, 04 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-601
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 04 Mar 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL This vulnerability affects Firefox for iOS < 136.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1933079 https://www.mozilla.org/security/advisories/mfsa2025-13/

Subscriptions

Apple Iphone Os

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-03-04T13:31:27.827Z

Updated: 2026-04-13T14:29:03.195Z

Reserved: 2025-02-24T20:03:31.187Z

Link: CVE-2025-27426

Vulnrichment

Updated: 2025-03-04T15:32:07.799Z

NVD

Status : Modified

Published: 2025-03-04T14:15:39.593

Modified: 2026-04-13T15:16:55.467

Link: CVE-2025-27426

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses

CWE-601

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object