CVE-2025-8043 - Vulnerability Details

Description

Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.

Published: 2025-07-22

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Mozilla’s browsers incorrectly truncate URLs toward the beginning instead of around the origin. This causes the address shown to omit the true destination and instead display a benign prefix, potentially confusing users about the site they are viewing. The flaw is classified as CWE‑451, improper handling of output visible to users, and can undermine user confidence in the browser’s address bar.

Affected Systems

The vulnerability affects Mozilla Firefox; all releases prior to version 141 are vulnerable, with the fix applied in Firefox 141. The Common Platform Enumeration list also includes Thunderbird, but no specific patch version is documented, so older Thunderbird releases remain at potential risk until an update is released.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity. The EPSS score of less than 1% implies that exploitation is currently rare, and the flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through the browser UI: an attacker can craft a link that displays a harmless prefix while the actual destination is malicious, potentially enabling social engineering or deceptive browsing experiences.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`141`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*

No data.

Vendor	Product	Confidence	Versions
Mozilla	Firefox	—	—
Mozilla	Thunderbird	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox to version 141 or later to eliminate the truncation issue.
Upgrade Thunderbird to the latest available release when a patch is released; until then, avoid using vulnerable versions for browsing.
Use safe browsing features or install a link‑preview extension that accurately displays URLs to mitigate confusion from truncated addresses.

Generated by OpenCVE AI on April 22, 2026 at 01:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-22358	Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability affects Firefox < 141 and Thunderbird < 141.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0018.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1970209
https://nvd.nist.gov/vuln/detail/CVE-2025-8043
https://www.cve.org/CVERecord?id=CVE-2025-8043
https://www.mozilla.org/security/advisories/mfsa2025-56/
https://www.mozilla.org/security/advisories/mfsa2025-61/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability affects Firefox < 141 and Thunderbird < 141.	Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.
Title	firefox: thunderbird: Incorrect URL truncation	Incorrect URL truncation

Tue, 29 Jul 2025 12:30:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: Incorrect URL truncation
References		https://nvd.nist.gov/vuln/detail/CVE-2025-8043 https://www.cve.org/CVERecord?id=CVE-2025-8043
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 28 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::-:::*

Wed, 23 Jul 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Wed, 23 Jul 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 22 Jul 2025 21:00:00 +0000

Type	Values Removed	Values Added
Description		Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability affects Firefox < 141 and Thunderbird < 141.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1970209 https://www.mozilla.org/security/advisories/mfsa2025-56/ https://www.mozilla.org/security/advisories/mfsa2025-61/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-07-22T20:49:28.983Z

Updated: 2026-04-13T14:31:33.345Z

Reserved: 2025-07-22T10:14:15.245Z

Link: CVE-2025-8043

Vulnrichment

Updated: 2025-07-23T15:06:13.394Z

NVD

Status : Modified

Published: 2025-07-22T21:15:51.263

Modified: 2026-04-13T15:17:12.743

Link: CVE-2025-8043

Redhat

Severity : Moderate

Publid Date: 2025-07-22T20:49:28Z

Links: CVE-2025-8043 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses

CWE-451

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object