Description
Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability was fixed in Firefox for iOS 142 and Focus for iOS 142.
Published: 2025-08-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized account access through passkey phishing
Action: Patch Now
AI Analysis

Impact

A malicious website can take advantage of Firefox for iOS’s handling of FIDO: links to trigger a hybrid passkey transport to the underlying operating system. When the user accepts the passkey request, the attacker's computer can be logged into the user's account by reusing the supplied passkey. The weakness leading to this exploitation is identified as CWE‑601, indicating an open redirect or link redirection flaw that allows unintended navigation. The consequence is loss of account confidentiality and integrity, as an attacker can gain authenticated access to the victim’s services using the passkey.

Affected Systems

Mozilla’s browsers on iOS (Firefox and Focus) are affected. The problem exists in all releases prior to version 142 of each product. Versions 142 and later contain a patch that disables the vulnerable handling of FIDO: URIs.

Risk and Exploitability

The CVSS score of 9.8 reflects a high severity of the flaw. The EPSS score indicates that the likelihood of exploitation in the wild is currently very low (<1%). Nevertheless, the vulnerability is not listed in the CISA KEV catalog, meaning no public exploit has been confirmed yet. The likely attack vector is a nearby attacker within Bluetooth range who lures a user into visiting a malicious site that then triggers the passkey prompt. No additional prerequisites beyond proximity and user interaction are required.

Generated by OpenCVE AI on April 20, 2026 at 16:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox for iOS and Focus for iOS to version 142 or later to apply the vendor’s patch
  • Disable Bluetooth on the device when not needed to eliminate the proximity requirement for the attack
  • Instruct users to be cautious of passkey requests from unknown or unexpected origins and to confirm the legitimacy of such prompts before accepting

Generated by OpenCVE AI on April 20, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25225 Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142. Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability was fixed in Firefox for iOS 142 and Focus for iOS 142.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title Passkey phishing within Bluetooth range

Thu, 21 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox
Mozilla firefox Focus
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*
Vendors & Products Mozilla firefox
Mozilla firefox Focus

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ios
Mozilla
Mozilla firefox For Ios
Mozilla focus For Ios
Vendors & Products Apple
Apple ios
Mozilla
Mozilla firefox For Ios
Mozilla focus For Ios

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-601
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 Aug 2025 21:00:00 +0000

Type Values Removed Values Added
Description Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142.
References

Subscriptions

Apple Ios
Mozilla Firefox Firefox Focus Firefox For Ios Focus For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:00.921Z

Reserved: 2025-08-05T13:26:34.686Z

Link: CVE-2025-55031

cve-icon Vulnrichment

Updated: 2025-08-20T14:01:42.748Z

cve-icon NVD

Status : Modified

Published: 2025-08-19T21:15:28.340

Modified: 2026-04-13T15:17:02.840

Link: CVE-2025-55031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses