{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11720", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-10-13T19:50:22.446Z", "datePublished": "2025-10-14T12:27:38.204Z", "dateUpdated": "2026-04-13T14:31:25.625Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "144", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "The Firefox and Firefox Focus UI for the Android custom tab feature only showed the \"site\" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The Firefox and Firefox Focus UI for the Android custom tab feature only showed the \"site\" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144."}]}], "title": "Spoofing risk in Android custom tabs", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1979534"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984370"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}], "credits": [{"lang": "en", "value": "Michel Le Bihan"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:25.625Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T13:18:34.454167Z", "id": "CVE-2025-11720", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:19:42.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-11720", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-15T13:18:34.454167Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:18:37.511Z"}}], "cna": {"title": "Spoofing risk in Android custom tabs", "credits": [{"lang": "en", "value": "Michel Le Bihan"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "144", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1979534"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984370"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}], "descriptions": [{"lang": "en", "value": "The Firefox and Firefox Focus UI for the Android custom tab feature only showed the \"site\" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.", "supportingMedia": [{"type": "text/html", "value": "The Firefox and Firefox Focus UI for the Android custom tab feature only showed the \"site\" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:25.625Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11720", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:25.625Z", "dateReserved": "2025-10-13T19:50:22.446Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-10-14T12:27:38.204Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC554AD6-8F3F-4C92-85EA-C204204E9E9D", "versionEndExcluding": "144.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Firefox and Firefox Focus UI for the Android custom tab feature only showed the \"site\" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144."}], "id": "CVE-2025-11720", "lastModified": "2026-04-13T15:16:41.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-10-14T13:15:38.400", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1979534"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1984370"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-81/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:40:28.216070+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox and Firefox Focus to version\u202f144 or later on all Android devices.", "If an immediate upgrade is not feasible, disable the custom tabs feature in Firefox (Settings\u202f\u2192\u202fPrivacy &\u202fSecurity\u202f\u2192\u202fCustom Tabs) to remove the spoofing risk until a patch is applied.", "For enterprise environments, restrict or block third\u2011party applications that use the Android custom tab intent with known phishing domains until the update is deployed."], "summary": {"action": "Upgrade promptly", "impact": "Spoofing via Android custom tabs"}, "threat_synthesis": {"affected_systems": "Mozilla\u2019s Firefox and Firefox Focus browsers running on Android devices are affected. The flaw exists in all releases prior to Firefox\u202f144. Devices with older versions of these browsers are vulnerable to the spoofing risk described.", "description_and_impact": "The vulnerability limits the information shown in the Firefox and Firefox Focus user interface for Android custom tabs to only the site name, omitting the full hostname. Content served from a subdomain of a legitimate site could therefore appear to come from a different subdomain, potentially misleading a user about the origin of the content. This deceptive display may allow a malicious party to trick a user into accepting or interacting with content that it believes is from a trusted domain.", "risk_and_exploitability": "The CVSS score of 8.1 reflects a high severity, while the EPSS score of less than\u202f1% indicates that the likelihood of exploitation is low but not negligible. This vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation campaigns are documented. Based on the description, it is inferred that the likely attack vector involves an application that opens a custom tab to a malicious subdomain; the attacker leverages the limited hostname display to deceive the user without needing code execution or elevated privileges. The risk remains significant because users may trust the displayed site name and interact with dangerous content."}}}}, "created": "2025-10-20T15:49:37.840186+00:00", "updated": "2026-04-20T21:45:18.971279+00:00", "vendors": ["google", "google$PRODUCT$android", "mozilla", "mozilla$PRODUCT$firefox"]}