CVE-2025-3859 - Vulnerability Details

- Firefox Focus elide URL allows address bar spoofing

Description

Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage. This vulnerability was fixed in Focus 138.

Published: 2025-04-30

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows a website to craft a very long URL that, when loaded in Firefox Focus, is truncated in the location bar, potentially displaying a misleading shorter address. The truncation may cause a user to erroneously believe they are on a different site, thus facilitating phishing or social engineering attacks. The weakness is represented by CWE‑451 (Information Exposure) and CWE‑601 (Intentional Redirect), indicating that the vulnerability is a result of improper handling of user-visible data rather than a code execution flaw.

Affected Systems

The issue affects Mozilla Focus on iPhone OS, specifically all builds prior to version 138. Users running an earlier Focus release are susceptible to the URL truncation behavior.

Risk and Exploitability

The CVSS score of 4.3 classifies the impact as low, and the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and it is a client‑side UI bug that requires a user to visit a crafted long URL. Consequently, the overall risk is moderate in that it could support phishing attempts but does not enable remote code execution or system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Focus

affected

Version	Status	Constraints
`138`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mozilla Focus to version 138 or later to eliminate the URL truncation flaw.
Avoid interacting with websites that employ excessively long URLs designed to truncate; verify the full address by hovering over or copying the link.
Consider using an alternative mobile browser for sites where address bar integrity is critical.

Generated by OpenCVE AI on April 20, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-12733	Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage This vulnerability affects Focus < 138.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00156.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1951533
https://www.mozilla.org/security/advisories/mfsa2025-33/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage This vulnerability affects Focus < 138.	Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage. This vulnerability was fixed in Focus 138.
Title		Firefox Focus elide URL allows address bar spoofing

Mon, 12 May 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Focus
Weaknesses		CWE-601
CPEs		cpe:2.3:a:mozilla:firefox_focus::::::iphone_os::*
Vendors & Products		Mozilla Mozilla firefox Focus

Mon, 12 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 30 Apr 2025 16:45:00 +0000

Type	Values Removed	Values Added
Description		Websites directing users to long URLs that caused eliding to occur in the location view could leverage the truncating behavior to potentially trick users into thinking they were on a different webpage This vulnerability affects Focus < 138.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1951533 https://www.mozilla.org/security/advisories/mfsa2025-33/

Subscriptions

Mozilla Firefox Focus

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-04-30T16:30:18.670Z

Updated: 2026-04-13T14:28:36.100Z

Reserved: 2025-04-21T16:01:02.407Z

Link: CVE-2025-3859

Vulnrichment

Updated: 2025-04-30T17:15:05.584Z

NVD

Status : Modified

Published: 2025-04-30T17:15:50.903

Modified: 2026-04-13T15:16:58.203

Link: CVE-2025-3859

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object