{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11717", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-10-13T19:50:16.067Z", "datePublished": "2025-10-14T12:27:37.569Z", "dateUpdated": "2026-04-13T14:31:18.968Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "144", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144."}]}], "title": "The password edit screen was not hidden in Android card view", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1872601"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}], "credits": [{"lang": "en", "value": "msd"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:18.968Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T13:20:29.623113Z", "id": "CVE-2025-11717", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:24:29.948Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-11717", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-15T13:20:29.623113Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:20:32.059Z"}}], "cna": {"title": "The password edit screen was not hidden in Android card view", "credits": [{"lang": "en", "value": "msd"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "144", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1872601"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}], "descriptions": [{"lang": "en", "value": "When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144.", "supportingMedia": [{"type": "text/html", "value": "When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:18.968Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11717", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:18.968Z", "dateReserved": "2025-10-13T19:50:16.067Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-10-14T12:27:37.569Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC554AD6-8F3F-4C92-85EA-C204204E9E9D", "versionEndExcluding": "144.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144."}], "id": "CVE-2025-11717", "lastModified": "2026-04-13T15:16:40.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-10-14T13:15:38.033", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1872601"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T17:46:30.078826+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version\u202f144 or later, which removes the card\u2011view disclosure bug. ", "If an upgrade is not immediately possible, disable the Android card\u2011carousel feature in Firefox settings or cease using Firefox for password input on Android until a patch is applied. ", "Stay informed of any new advisories by monitoring Mozilla\u2019s security alerts and apply subsequent releases as they become available."], "summary": {"action": "Update Firefox", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The problem affects Mozilla Firefox installations on Android devices running Firefox prior to version 144. All Android operating systems are listed as affected, reflecting the card carousel feature native to Android that renders Firefox pages as cards for app switching. No other vendors or product lines are implicated.", "description_and_impact": "Firefox versions older than 144 displayed the password edit screen in the Android card carousel, exposing user-entered passwords to page thumbnails. The vulnerability allows the password characters to become visible when a user switches between apps, potentially leaking sensitive authentication information. The flaw is a classic data disclosure issue identified as CWE\u2011200.", "risk_and_exploitability": "The CVSS score of 9.1 categorizes this as a high\u2011severity vulnerability, reflecting the privacy compromise risk it poses. The EPSS figure of less than 1\u2009% indicates a very low likelihood of exploitation in the wild at the time of assessment, yet the lack of mitigations beyond a software update means that every user of the affected Firefox builds remains at risk. The vulnerability is not listed in the CISA KEV catalog, but its impact justifies prompt remediation."}}}}, "created": "2025-10-20T15:49:29.570529+00:00", "updated": "2026-04-20T18:00:11.159408+00:00", "vendors": ["google", "google$PRODUCT$android", "mozilla", "mozilla$PRODUCT$firefox"]}