{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0245", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-01-06T14:49:15.655Z", "datePublished": "2025-01-07T16:07:05.265Z", "dateUpdated": "2026-04-13T14:29:55.662Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "134", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability was fixed in Firefox 134.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability was fixed in Firefox 134."}]}], "title": "Lock screen setting bypass in Firefox Focus for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1895342"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "credits": [{"lang": "en", "value": "Jurrie Overgoor"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:55.662Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-08T15:32:24.869675Z", "id": "CVE-2025-0245", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-08T15:44:53.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-0245", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-08T15:32:24.869675Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-08T15:44:48.935Z"}}], "cna": {"title": "Lock screen setting bypass in Firefox Focus for Android", "credits": [{"lang": "en", "value": "Jurrie Overgoor"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "134", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1895342"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "descriptions": [{"lang": "en", "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability was fixed in Firefox 134.", "supportingMedia": [{"type": "text/html", "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability was fixed in Firefox 134.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:55.662Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0245", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:29:55.662Z", "dateReserved": "2025-01-06T14:49:15.655Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-01-07T16:07:05.265Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FDCA935-A68D-404E-A749-CA3845C709F0", "versionEndExcluding": "134.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability was fixed in Firefox 134."}, {"lang": "es", "value": "En determinadas circunstancias, se podr\u00eda haber omitido una configuraci\u00f3n de usuario que obligaba a Focus a solicitar autenticaci\u00f3n antes de su uso. Esta vulnerabilidad afecta a Firefox < 134."}], "id": "CVE-2025-0245", "lastModified": "2026-04-13T15:16:34.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-07T16:15:39.167", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1895342"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "firefox: Lock screen setting bypass in Firefox Focus for Android", "id": "2336172", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2336172"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-288", "details": ["Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed. This vulnerability affects Firefox < 134.", "The Mozilla Foundation's Security Advisory: Under certain circumstances, a user opt-in setting that Focus should require authentication before use could be bypassed."], "name": "CVE-2025-0245", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-07T16:07:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-0245\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-0245\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1895342\nhttps://www.mozilla.org/security/advisories/mfsa2025-01/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. This vulnerability is specific to Firefox Focus in Android. Red Hat is not affected.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T18:34:26.852905+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox Focus to version 134 or later, which contains the fix for the authentication bypass.", "Verify that the login\u2011or\u2011lock\u2011screen requirement is enabled and functional in the app\u2019s settings after the upgrade.", "Keep the application and OS up to date and monitor for any user reports of unauthorized access to the app\u2019s features."], "summary": {"action": "Patch Update", "impact": "Authentication bypass in Firefox Focus for Android"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox Focus for Android. Versions up to but not including 134 are vulnerable. The fix is applied in Firefox 134 and later.", "description_and_impact": "Under certain circumstances the user opt\u2011in setting that requires authentication before using Firefox Focus could be bypassed, allowing the application to be accessed without its intended authentication mechanism. The weakness is classified as CWE\u2011288: Improper Authentication. Using the app in this way could expose private browsing sessions or location data that were meant to be protected by the lock screen setting.", "risk_and_exploitability": "The CVSS score of 3.3 indicates a low severity issue, and the EPSS score is reported as less than 1\u202f%, suggesting a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would presumably require the attacker to be in possession of the device and to trigger the specific circumstances that allow the authentication bypass; it is not a remote or network\u2011based attack. As such, the overall risk remains low."}}}}, "created": "2026-04-20T18:45:14.239249+00:00", "updated": "2026-04-20T18:45:14.239262+00:00", "vendors": []}