Description
Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.
Published: 2025-05-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: URL address spoofing that can trick users into believing they are visiting legitimate sites
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows maliciously crafted URLs that use non-HTTP schemes to be opened in Firefox for iOS from other applications such as Safari. By leveraging these internal schemes, an attacker can trick users into seeing a forged website address. Based on the description, it is inferred that such spoofing could be used for phishing or social‑engineering, although this is not explicitly stated. This flaw is classified under CWE‑939 and affects the trust model of the URL bar and the user’s perception of site authenticity.

Affected Systems

Mozilla Firefox for iOS versions prior to 139 are impacted. The security fix was included in the 139 release and later versions. Users of older builds should verify their application version to determine if the issue remains present.

Risk and Exploitability

The CVSS score of 4.3 denotes moderate risk, while an EPSS score of < 1 % indicates a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting no widespread or known active exploits. Exploitation likely requires the attacker to supply a malicious link in another app that then directs Firefox to open a non‑HTTP scheme. The CVE description does not mention remote code execution or other destructive actions.

Generated by OpenCVE AI on April 20, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Firefox for iOS 139 or later to receive the fix for non‑HTTP scheme spoofing.
  • Avoid opening or allowing links with non‑HTTP schemes from other applications; only click standard http or https URLs.
  • If upgrading immediately is not possible, restrict or disable external applications from launching Firefox with custom URL schemes through device settings.

Generated by OpenCVE AI on April 20, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16036 Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client This vulnerability affects Firefox for iOS < 139.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client This vulnerability affects Firefox for iOS < 139. Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.
Title Links using non-HTTP schemes opened from other apps such as Safari could have allowed spoofing of website addresses

Fri, 13 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*
Vendors & Products Mozilla
Mozilla firefox

Wed, 21 May 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-939
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 May 2025 17:30:00 +0000

Type Values Removed Values Added
Description Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client This vulnerability affects Firefox for iOS < 139.
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:18.166Z

Reserved: 2025-05-21T01:18:07.391Z

Link: CVE-2025-5020

cve-icon Vulnrichment

Updated: 2025-05-21T19:00:22.263Z

cve-icon NVD

Status : Modified

Published: 2025-05-21T18:15:53.840

Modified: 2026-04-13T15:17:03.370

Link: CVE-2025-5020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses