{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10535", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-09-16T06:48:48.904Z", "datePublished": "2025-09-16T12:26:38.955Z", "dateUpdated": "2026-04-13T14:30:35.055Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "143", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143."}]}], "title": "Information disclosure, mitigation bypass in the Privacy component in Firefox for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1979918"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}], "credits": [{"lang": "en", "value": "Rebeca Tudor"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:35.055Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T14:02:21.292689Z", "id": "CVE-2025-10535", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:49:28.323Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10535", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-17T14:02:21.292689Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T14:03:49.853Z"}}], "cna": {"title": "Information disclosure, mitigation bypass in the Privacy component in Firefox for Android", "credits": [{"lang": "en", "value": "Rebeca Tudor"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "143", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1979918"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}], "descriptions": [{"lang": "en", "value": "Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143.", "supportingMedia": [{"type": "text/html", "value": "Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:35.055Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10535", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:30:35.055Z", "dateReserved": "2025-09-16T06:48:48.904Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-09-16T12:26:38.955Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A8F1380-5E9C-49C4-A8CA-6C7F1C90C254", "versionEndExcluding": "143.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure, mitigation bypass in the Privacy component in Firefox for Android. This vulnerability was fixed in Firefox 143."}], "id": "CVE-2025-10535", "lastModified": "2026-04-13T15:16:37.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-16T13:15:48.503", "references": [{"source": "security@mozilla.org", "tags": ["Broken Link"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1979918"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Information disclosure, mitigation bypass in the Privacy component in Firefox for Android", "id": "2395760", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395760"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2025-10535", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-16T12:26:38Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-10535\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-10535\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1979918\nhttps://www.mozilla.org/security/advisories/mfsa2025-73/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-20T17:54:53.566836+00:00", "value": {"mitigation_remediation": ["Update Firefox for Android to version 143 or later.", "Configure device or app\u2011level restrictions to limit the Privacy component\u2019s access to sensitive data if an update cannot be applied immediately.", "Monitor Mozilla security advisories for any further patches or guidance related to this vulnerability."], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox for Android versions prior to 143. Firefox 143 and later include the fix. No other vendors or products are impacted by this vulnerability within the current CNA data.", "description_and_impact": "The vulnerability arises from inadequate protection of sensitive data within Firefox for Android's Privacy component, leading to potential exposure of user information. Attackers could exploit this flaw to read data that should remain private, breaching confidentiality. The weakness aligns with CWE-200, indicating information exposure.", "risk_and_exploitability": "The CVSS score of 7.5 signals a high impact if exploited. The EPSS < 1% indicates a low likelihood of exploitation at this time, and the vulnerability is not listed in CISA's KEV. Likely exploitation requires user interaction or local privilege escalation, as no remote execution vector is described. Therefore, while the risk is moderate, timely patching remains critical."}}}}, "created": "2025-09-17T10:04:20.947245+00:00", "updated": "2026-04-20T18:00:11.170224+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}