Description
When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications.
*This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140.
Published: 2025-06-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User prompt bypass enabling malicious link execution.
Action: Patch Now
AI Analysis

Impact

Firefox for Android normally asks for user confirmation before opening a link in an external application. The discovered flaw allows an attacker to trick the browser into bypassing this confirmation step, thereby permitting the execution of or interaction with the chosen external app without the user’s knowledge. This can lead to exploitation of vulnerabilities or privacy leaks in the external application, and is classified as a CWE-285 weakness involving unauthorized authorization control.

Affected Systems

This issue affects Mozilla’s Firefox for Android releases prior to version 140. All Android users running earlier builds are vulnerable. No other Firefox desktop or mobile variants are impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, with an EPSS score lower than 1% suggesting a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to involve an attacker embedding a specially crafted link or URI scheme that the browser would normally prompt for, but now bypasses, thereby directing the device to open an external app or trigger a vulnerable component without user consent.

Generated by OpenCVE AI on April 20, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox for Android to version 140 or later, which contains the prompt bypass fix.
  • Disable automatic handling of external link protocols for untrusted applications via device settings, or restrict which apps may be launched from URLs.
  • Exercise caution when clicking on links that open external applications, especially from suspicious or unknown sources.

Generated by OpenCVE AI on April 20, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19087 When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140. When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: The prompt in Firefox for Android that asks before opening a link in an external application could be bypassed The prompt in Firefox for Android that asks before opening a link in an external application could be bypassed

Thu, 03 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google android
Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Google
Google android
Mozilla
Mozilla firefox

Thu, 26 Jun 2025 00:30:00 +0000

Type Values Removed Values Added
Title firefox: The prompt in Firefox for Android that asks before opening a link in an external application could be bypassed
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 25 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Jun 2025 12:45:00 +0000

Type Values Removed Values Added
Description When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.
References

Subscriptions

Google Android
Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:05.455Z

Reserved: 2025-06-20T14:51:36.769Z

Link: CVE-2025-6431

cve-icon Vulnrichment

Updated: 2025-06-25T12:33:59.279Z

cve-icon NVD

Status : Modified

Published: 2025-06-24T13:15:24.103

Modified: 2026-04-13T15:17:07.460

Link: CVE-2025-6431

cve-icon Redhat

Severity : Low

Publid Date: 2025-06-24T12:28:03Z

Links: CVE-2025-6431 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses