CVE-2025-55029 - Vulnerability Details

- Malicious scripts could spam popups for denial of service attacks

Description

Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142.

Published: 2025-08-19

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Malicious scripts can bypass Firefox for iOS’s popup blocker to open many new tabs, which can consume system resources and render the browser unusable. The weakness is a resource exhaustion flaw (CWE-400) that leads to denial of service.

Affected Systems

Mozilla Firefox for iOS versions earlier than 142 are affected. The fix was implemented in Firefox for iOS 142, so all users on 141 and earlier are vulnerable.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity condition. The EPSS score of less than 1% shows a very low probability of observed exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to inject a malicious script into a web page or local content that the target user opens, or otherwise get the script executed in the browser context, to trigger the popup spam. The exploit path requires the user to load the compromised content; no remote code execution or elevated privileges are required. The impact is limited to the client’s device resources, though repeated attacks could degrade the browsing experience over time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox for iOS

affected

Version	Status	Constraints
`142`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*

No data.

Vendor	Product	Confidence	Versions
Apple	Ios	—	—
Mozilla	Firefox For Ios	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Firefox for iOS to version 142 or later.
Enable the browser’s popup blocker, which provides partial protection when the script is blocked.
Avoid visiting or interacting with untrusted web content and consider installing reputable content blockers on iOS.

Generated by OpenCVE AI on April 20, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-25224	Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1973577
https://www.mozilla.org/security/advisories/mfsa2025-68/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142.	Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142.

Thu, 30 Oct 2025 16:30:00 +0000

Type	Values Removed	Values Added
Title		Malicious scripts could spam popups for denial of service attacks

Thu, 21 Aug 2025 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla firefox
CPEs		cpe:2.3:a:mozilla:firefox::::::iphone_os::*
Vendors & Products		Mozilla firefox

Thu, 21 Aug 2025 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ios Mozilla Mozilla firefox For Ios
Vendors & Products		Apple Apple ios Mozilla Mozilla firefox For Ios

Wed, 20 Aug 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 Aug 2025 21:00:00 +0000

Type	Values Removed	Values Added
Description		Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1973577 https://www.mozilla.org/security/advisories/mfsa2025-68/

Subscriptions

Apple Ios

Mozilla Firefox Firefox For Ios

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-08-19T20:52:50.120Z

Updated: 2026-04-13T14:31:53.669Z

Reserved: 2025-08-05T13:26:34.685Z

Link: CVE-2025-55029

Vulnrichment

Updated: 2025-08-20T14:01:20.734Z

NVD

Status : Modified

Published: 2025-08-19T21:15:28.090

Modified: 2026-04-13T15:17:02.503

Link: CVE-2025-55029

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object