{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1935", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-03-04T12:29:38.170Z", "datePublished": "2025-03-04T13:31:25.890Z", "dateUpdated": "2026-04-13T14:27:42.195Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.8", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "136", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.8", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "136", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8."}]}], "title": "Clickjacking the registerProtocolHandler info-bar", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1866661"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-16/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}], "credits": [{"lang": "en", "value": "Hafiizh"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:42.195Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T15:40:29.183426Z", "id": "CVE-2025-1935", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-25T13:19:36.062Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:57:21.111Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:57:21.111Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-1935", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-04T15:40:29.183426Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:42:14.944Z"}}], "cna": {"title": "Clickjacking the registerProtocolHandler info-bar", "credits": [{"lang": "en", "value": "Hafiizh"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "128.8", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "136", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.8", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "136", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1866661"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-16/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}], "descriptions": [{"lang": "en", "value": "A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.", "supportingMedia": [{"type": "text/html", "value": "A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:42.195Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1935", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:27:42.195Z", "dateReserved": "2025-03-04T12:29:38.170Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-03-04T13:31:25.890Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "51A0498A-4BF8-4166-A347-78023C0A6B33", "versionEndExcluding": "128.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DB4CDD0-EC54-43D0-ACB2-F159ABA53D2C", "versionEndExcluding": "136.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3C5A2B6-C7B5-4888-B0A7-9DA0C3024C71", "versionEndExcluding": "128.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "93C81C9D-FC2E-4D7D-A97F-8DB97ED92192", "versionEndExcluding": "136.0", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8."}, {"lang": "es", "value": "Una p\u00e1gina web podr\u00eda enga\u00f1ar a un usuario para que configure ese sitio como el controlador predeterminado para un protocolo de URL personalizado. Esta vulnerabilidad afecta a Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136 y Thunderbird < 128.8."}], "id": "CVE-2025-1935", "lastModified": "2026-04-13T15:16:52.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-04T14:15:38.390", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1866661"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-16/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:2699", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.8.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-03-13T00:00:00Z"}, {"advisory": "RHSA-2025:2452", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.8.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-03-06T00:00:00Z"}, {"advisory": "RHSA-2025:2708", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.8.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-03-13T00:00:00Z"}, {"advisory": "RHSA-2025:2484", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.8.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2484", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.8.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2484", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.8.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2485", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.8.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2485", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.8.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2485", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.8.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2486", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.8.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2359", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.8.0-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:2481", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.8.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2480", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.8.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2479", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "firefox-0:128.8.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-03-10T00:00:00Z"}], "bugzilla": {"description": "firefox: Clickjacking the registerProtocolHandler info-bar Reporter", "id": "2349792", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349792"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-1021", "details": ["A web page could trick a user into setting that site as the default handler for a custom URL protocol. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8."], "name": "CVE-2025-1935", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-04T13:31:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1935\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1935\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1866661\nhttps://www.mozilla.org/security/advisories/mfsa2025-14/\nhttps://www.mozilla.org/security/advisories/mfsa2025-16/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-21T22:06:15.578513+00:00", "value": {"mitigation_remediation": ["Upgrade Mozilla Firefox to version 136 or later, or the ESR 128.8 release, and upgrade Mozilla Thunderbird to version 136 or later or ESR 128.8.", "Disable the registerProtocolHandler feature via the browser\u2019s configuration settings to prevent automatic protocol handler registration, mitigating clickjacking by removing the default handling prompt.", "Configure content security policies and X-Frame-Options headers in any web content served through the browser to mitigate potential cross\u2011site scripting and clickjacking exploitation, thereby strengthening user input validation and output encoding."], "summary": {"action": "Patch", "impact": "Unauthorized default protocol handler registration resulting in potential user identity spoofing"}, "threat_synthesis": {"affected_systems": "Systems affected include Mozilla Firefox and Mozilla Thunderbird, specifically any versions prior to Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Linux distributions that bundle these browsers, such as Red\u00a0Hat Enterprise Linux 8 and 9 and their extended support releases, are also impacted when they run the vulnerable browser versions.", "description_and_impact": "A web page could trick a user into setting that site as the default handler for a custom URL protocol. Based on the description, it is inferred that an attacker could employ clickjacking techniques to cause the registration to happen without genuine user intent, giving the attacker the ability to hijack URLs targeted to the custom protocol. This results in an unauthorized capability that could be abused to direct traffic or manipulate user interactions.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate impact, while the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of exploitation. The likely attack vector, inferred from the description, requires a user to visit a malicious web page that uses clickjacking to bypass the default handler prompt; no remote code execution is required."}}}}, "created": "2026-04-21T22:15:45.900617+00:00", "updated": "2026-04-21T22:15:45.900629+00:00", "vendors": []}