{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-0246", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-01-06T14:49:17.440Z", "datePublished": "2025-01-07T16:07:05.551Z", "dateUpdated": "2026-04-13T14:29:57.530Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "134", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. \n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*\n*Note: This issue is a different issue from CVE-2025-0244. This vulnerability was fixed in Firefox 134.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. <br>*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*<br>*Note: This issue is a different issue from CVE-2025-0244. This vulnerability was fixed in Firefox 134."}]}], "title": "Address bar spoofing using an invalid protocol scheme on Firefox for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1912709"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "credits": [{"lang": "en", "value": "James Lee"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:57.530Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-08T15:49:04.131560Z", "id": "CVE-2025-0246", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-08T15:54:25.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-0246", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-08T15:49:04.131560Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-08T15:54:20.489Z"}}], "cna": {"title": "Address bar spoofing using an invalid protocol scheme on Firefox for Android", "credits": [{"lang": "en", "value": "James Lee"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "134", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1912709"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "descriptions": [{"lang": "en", "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. \n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*\n*Note: This issue is a different issue from CVE-2025-0244. This vulnerability was fixed in Firefox 134.", "supportingMedia": [{"type": "text/html", "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. <br>*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*<br>*Note: This issue is a different issue from CVE-2025-0244. This vulnerability was fixed in Firefox 134.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:57.530Z"}}}, "cveMetadata": {"cveId": "CVE-2025-0246", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:29:57.530Z", "dateReserved": "2025-01-06T14:49:17.440Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-01-07T16:07:05.551Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "4FDCA935-A68D-404E-A749-CA3845C709F0", "versionEndExcluding": "134.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When using an invalid protocol scheme, an attacker could spoof the address bar. \n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*\n*Note: This issue is a different issue from CVE-2025-0244. This vulnerability was fixed in Firefox 134."}, {"lang": "es", "value": "Al utilizar un esquema de protocolo no v\u00e1lido, un atacante podr\u00eda falsificar la barra de direcciones. *Nota: este problema solo afectaba a los sistemas operativos Android. Los dem\u00e1s sistemas operativos no se ven afectados.* *Nota: este problema es diferente de CVE-2025-0244. Esta vulnerabilidad afecta a Firefox &lt; 134."}], "id": "CVE-2025-0246", "lastModified": "2026-04-13T15:16:35.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-07T16:15:39.260", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1912709"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-01/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "firefox: Address bar spoofing using an invalid protocol scheme on Firefox for Android", "id": "2336183", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2336183"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-451", "details": ["When using an invalid protocol scheme, an attacker could spoof the address bar. \n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*\n*Note: This issue is a different issue from CVE-2025-0244. This vulnerability affects Firefox < 134.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory: When using an invalid protocol scheme, an attacker could spoof the address bar. Note: This issue is different than CVE-2025-0244."], "name": "CVE-2025-0246", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox:flatpak/firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-07T16:07:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-0246\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-0246\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1912709\nhttps://www.mozilla.org/security/advisories/mfsa2025-01/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. This issue only affects Android operating systems. Other operating systems are unaffected.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T18:34:11.833192+00:00", "value": {"mitigation_remediation": ["Update Firefox to version 134 or newer on all Android devices to remove the invalid protocol handling code.", "If a timely update is not feasible, configure device or browser policy to block unknown or unregistered protocol schemes so that malformed links cannot trigger the spoofed address bar.", "Educate users to verify the actual domain in the address bar, especially when viewing links from untrusted sources, and rely on built\u2011in phishing detection tools to catch deceptive pages."], "summary": {"action": "Immediate Patch", "impact": "Address Bar Spoofing"}, "threat_synthesis": {"affected_systems": "The issue affects all versions of Mozilla Firefox for Android prior to the 134 release. Operating systems other than Android are unaffected. Any Android device running an outdated Firefox installation is vulnerable until a patched version is installed.", "description_and_impact": "When a user opens a link that contains an invalid protocol scheme, Firefox for Android renders a forged address bar display, causing the user to believe they are viewing a legitimate site. The attacker can therefore present malicious content under the guise of a trusted domain, potentially leading to phishing or social\u2011engineering attacks. This flaw does not provide direct code execution or data exfiltration, but the deception effect can carry significant business and reputational impact.", "risk_and_exploitability": "The CVSS score of 6.5 describes the vulnerability as moderate, and the EPSS score of less than 1% indicates that exploitation incidents are expected to be rare. It is not listed in CISA\u2019s KEV catalog. Attackers would typically need a user to interact with a malicious link\u2014such as clicking text in an email, message, or webpage\u2014containing the malformed scheme. No elevated privileges or additional system compromise are required to exploit this flaw."}}}}, "created": "2026-04-20T18:45:14.238948+00:00", "updated": "2026-04-20T18:45:14.238962+00:00", "vendors": []}