CVE-2025-9186 - Vulnerability Details

- Spoofing issue in the Address Bar component of Firefox Focus for Android

Description

Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability was fixed in Firefox 142.

Published: 2025-08-19

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Address Bar component in Firefox Focus for Android can display an incorrect or misleading URL, potentially leading users to believe they are on a legitimate site when they are not. This spoofing can undermine user trust and enable phishing or social‑engineering attacks, as the user may interact with malicious content based on the falsified address. The vulnerability has been fixed in Firefox 142, so versions prior to that may exhibit the flaw.

Affected Systems

Mozilla’s Firefox Focus for Android; specifically any installation running Firefox Focus version 141 or earlier, until the application is updated to version 142 or later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The most plausible attack scenario involves malicious web content or compromised network traffic that triggers the address bar to incorrectly display the URL; this inference is drawn from the description of a spoofing issue in the editor component. Attackers would need to embed deceptive content within the browser session to exploit the flaw, making it a local or application‑level vector rather than a remote host attack.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`142`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

No data.

Vendor	Product	Confidence	Versions
Google	Android	—	—
Mozilla	Firefox	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Firefox Focus to version 142 or later, ensuring the address bar spoofing fix is applied
If the update cannot be performed immediately, discontinue use of the browser for sensitive interactions until the patch is installed
When browsing, verify the displayed URL and HTTPS padlock before interacting, especially when encountering unfamiliar sites

Generated by OpenCVE AI on April 20, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-25242	Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability affects Firefox < 142.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1445758
https://www.mozilla.org/security/advisories/mfsa2025-64/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability affects Firefox < 142.	Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability was fixed in Firefox 142.

Thu, 30 Oct 2025 16:30:00 +0000

Type	Values Removed	Values Added
Title		Spoofing issue in the Address Bar component of Firefox Focus for Android

Thu, 21 Aug 2025 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::*

Thu, 21 Aug 2025 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google Google android Mozilla Mozilla firefox
Vendors & Products		Google Google android Mozilla Mozilla firefox

Wed, 20 Aug 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 Aug 2025 20:45:00 +0000

Type	Values Removed	Values Added
Description		Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability affects Firefox < 142.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1445758 https://www.mozilla.org/security/advisories/mfsa2025-64/

Subscriptions

Google Android

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-08-19T20:33:56.025Z

Updated: 2026-04-13T14:29:47.345Z

Reserved: 2025-08-19T15:56:08.382Z

Link: CVE-2025-9186

Vulnrichment

Updated: 2025-08-20T14:05:09.607Z

NVD

Status : Modified

Published: 2025-08-19T21:15:31.180

Modified: 2026-04-13T15:17:14.673

Link: CVE-2025-9186

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses

CWE-451

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object