{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11716", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-10-13T19:50:13.788Z", "datePublished": "2025-10-14T12:27:36.531Z", "dateUpdated": "2026-04-13T14:31:17.064Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "144", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "144", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Links in a sandboxed iframe could open an external app on Android without the required \"allow-\" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Links in a sandboxed iframe could open an external app on Android without the required \"allow-\" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144."}]}], "title": "Sandboxed iframes allowed links to open in external apps (Android only)", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1818679"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"}], "credits": [{"lang": "en", "value": "Axel Chong (@Haxatron)"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:17.064Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T13:21:06.795633Z", "id": "CVE-2025-11716", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:25:37.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-11716", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-15T13:21:06.795633Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:21:10.468Z"}}], "cna": {"title": "Sandboxed iframes allowed links to open in external apps (Android only)", "credits": [{"lang": "en", "value": "Axel Chong (@Haxatron)"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "144", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "144", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1818679"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"}], "descriptions": [{"lang": "en", "value": "Links in a sandboxed iframe could open an external app on Android without the required \"allow-\" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144.", "supportingMedia": [{"type": "text/html", "value": "Links in a sandboxed iframe could open an external app on Android without the required \"allow-\" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:17.064Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11716", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:17.064Z", "dateReserved": "2025-10-13T19:50:13.788Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-10-14T12:27:36.531Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC554AD6-8F3F-4C92-85EA-C204204E9E9D", "versionEndExcluding": "144.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7398846-C620-42AF-86CA-60C09184768A", "versionEndExcluding": "144.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Links in a sandboxed iframe could open an external app on Android without the required \"allow-\" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144."}], "id": "CVE-2025-11716", "lastModified": "2026-04-13T15:16:40.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-10-14T13:15:37.910", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1818679"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-84/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:11:27.866697+00:00", "value": {"mitigation_remediation": ["Install or upgrade to Mozilla Firefox 144 or higher on Android devices.", "Install or upgrade to Mozilla Thunderbird 144 or higher on Android devices.", "If an update cannot be performed immediately, advise users to disable automatic app link handling in Android settings or to exercise caution when clicking links that may launch external applications."], "summary": {"action": "Update Browser", "impact": "Unauthorized External App Launch"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Mozilla Firefox and Mozilla Thunderbird browsers on Android devices. Versions prior to 144 of either product are vulnerable. Non\u2011Android platforms are not impacted.", "description_and_impact": "Links placed inside a sandboxed iframe can invoke an external Android application without the intended allow- permission guard. The flaw is an improper access control (CWE\u2011284) that permits a web page, when displayed in Firefox or Thunderbird on Android, to trigger the launch of any installed app via a link. Attendees who tap such a link will cause that application to start, potentially allowing a malicious payload to run within the app context.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. An attacker can exploit the flaw by hosting a web page that contains a sandboxed iframe with a link that points to an Android application; when a user taps the link, the target app launches without the required permission. No additional privileges or network access beyond the standard browser environment are needed for exploitation."}}}}, "created": "2025-10-20T15:49:37.384458+00:00", "updated": "2026-04-20T19:15:15.050303+00:00", "vendors": ["google", "google$PRODUCT$android", "mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$thunderbird"]}