Description
A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.
Published: 2025-04-01
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: URL bar spoofing via hidden Unicode characters
Action: Patch
AI Analysis

Impact

A crafted URL that includes specific non‑BMP Unicode characters can conceal the true origin of a web page, causing the browser to display a misleading address bar entry. This flaw permits an attacker to spoof the address shown to a user, potentially directing them to a malicious site. The vulnerability is classified as CWE‑290 and CWE‑346, indicating a failure in authentication‑based control and a token validation weakness, respectively, and leads only to deceptive navigation rather than direct code execution or system compromise.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are the documented affected products. Versions before Firefox 137 and before Firefox ESR 128.9, as well as versions before Thunderbird 137 and Thunderbird 128.9, are vulnerable. The CPE list also references Red‑Hat Enterprise Linux components, but the original description does not state that they are impacted; their inclusion appears to reflect support channels for the affected Firefox release streams.

Risk and Exploitability

With a CVSS score of 7.3 the vulnerability is high in severity, but the EPSS score of less than 1 % suggests a low likelihood of exploitation. It is not listed in the CISA KEV catalog. An attacker would typically craft a link containing the hidden characters—such as in an email or a web page—and rely on user interaction by clicking the spoofed address. The attack requires no additional credentials and exploits only the rendering of Unicode characters in URLs.

Generated by OpenCVE AI on April 22, 2026 at 01:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 137 or newer, or to the ESR 128.9 release or newer.
  • Upgrade Mozilla Thunderbird to version 137 or newer, or to the ESR 128.9 release or newer.
  • As a temporary measure, restrict or block URLs containing non‑BMP Unicode characters and enable browser safe‑navigation alerts to mitigate spoofing risk.

Generated by OpenCVE AI on April 22, 2026 at 01:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4109-1 firefox-esr security update
Debian DLA Debian DLA DLA-4110-1 thunderbird security update
Debian DSA Debian DSA DSA-5889-1 firefox-esr security update
Debian DSA Debian DSA DSA-5891-1 thunderbird security update
EUVD EUVD EUVD-2025-9300 A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird < 128.9.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird < 128.9. A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.
Title firefox: thunderbird: URL Bar Spoofing via non-BMP Unicode characters URL Bar Spoofing via non-BMP Unicode characters

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 14 May 2025 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Mon, 07 Apr 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_tus:8.6
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Fri, 04 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.4
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus

Wed, 02 Apr 2025 06:45:00 +0000

Type Values Removed Values Added
Description A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird ESR < 128.9. A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird < 128.9.

Wed, 02 Apr 2025 02:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: URL Bar Spoofing via non-BMP Unicode characters
Weaknesses CWE-346
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 01 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 12:45:00 +0000

Type Values Removed Values Added
Description A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability affects Firefox < 137, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird ESR < 128.9.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:00.288Z

Reserved: 2025-03-31T09:35:20.446Z

Link: CVE-2025-3029

cve-icon Vulnrichment

Updated: 2025-11-03T19:46:49.584Z

cve-icon NVD

Status : Modified

Published: 2025-04-01T13:15:41.290

Modified: 2026-04-13T15:16:56.460

Link: CVE-2025-3029

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-04-01T12:28:59Z

Links: CVE-2025-3029 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses