CVE-2025-8364 - Vulnerability Details

- Address bar spoofing using an blob URI on Firefox for Android

Description

A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack.
*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141.

Published: 2025-08-19

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A crafted URL using a blob: URI can conceal the true origin of a web page, allowing a malicious actor to present a page that appears to come from a legitimate site while actually originating elsewhere; the vulnerability could be exploited in a phishing or spoofing scenario, potentially misleading users despite no direct code execution or privilege escalation being stated.

Affected Systems

Mozilla Firefox for Android operating systems. All Firefox releases prior to 141 on Android devices are affected, as the issue was resolved in Firefox 141.

Risk and Exploitability

The CVSS score of 4.3 reflects a low-moderate risk profile, and the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require a user to open a crafted link or be tricked into interacting with a blob: URI, which suggests the attack vector is likely user‑initiated activity such as clicking a malicious link or visiting a tampered web page.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`141`	unaffected	≤ *

Configuration 1 [-]

AND

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Google	Android	—	—
Mozilla	Firefox	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Firefox to version 141 or newer on all Android devices.
Enable automatic updates for Firefox to receive future security patches.
If an update is not possible, consider using an alternative mobile browser or applying an enterprise policy that blocks blob: URIs to mitigate spoofing risk.

Generated by OpenCVE AI on April 20, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-25231	A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. Note: This issue only affected Android operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 141.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1909609
https://bugzilla.mozilla.org/show_bug.cgi?id=1969937
https://www.mozilla.org/security/advisories/mfsa2025-56/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. Note: This issue only affected Android operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 141.	A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. Note: This issue only affected Android operating systems. Other operating systems are unaffected.. This vulnerability was fixed in Firefox 141.
Title		Address bar spoofing using an blob URI on Firefox for Android

Thu, 21 Aug 2025 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:o:google:android:-:::::::*

Thu, 21 Aug 2025 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android Mozilla Mozilla firefox
Vendors & Products		Google Google android Mozilla Mozilla firefox

Wed, 20 Aug 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 Aug 2025 21:00:00 +0000

Type	Values Removed	Values Added
Description		A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. Note: This issue only affected Android operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 141.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1909609 https://bugzilla.mozilla.org/show_bug.cgi?id=1969937 https://www.mozilla.org/security/advisories/mfsa2025-56/

Subscriptions

Google Android

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-08-19T20:52:46.969Z

Updated: 2026-04-13T14:31:35.465Z

Reserved: 2025-07-30T16:10:59.624Z

Link: CVE-2025-8364

Vulnrichment

Updated: 2025-08-20T14:03:19.415Z

NVD

Status : Modified

Published: 2025-08-19T21:15:29.510

Modified: 2026-04-13T15:17:13.173

Link: CVE-2025-8364

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses

CWE-451

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object