{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1939", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-03-04T12:29:44.141Z", "datePublished": "2025-03-04T13:31:22.881Z", "dateUpdated": "2026-04-13T14:30:21.704Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "136", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136."}]}], "title": "Tapjacking in Android Custom Tabs using transition animations", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1928334"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}], "credits": [{"lang": "en", "value": "Philipp Beer"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:21.704Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-359", "lang": "en", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T16:11:36.109677Z", "id": "CVE-2025-1939", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T18:31:55.796Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-09-07T23:09:55.634Z"}, "references": [{"url": "https://taptrap.click"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://taptrap.click"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-09-07T23:09:55.634Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-1939", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-04T16:11:36.109677Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-05T16:38:12.804Z"}}], "cna": {"title": "Tapjacking in Android Custom Tabs using transition animations", "credits": [{"lang": "en", "value": "Philipp Beer"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "136", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1928334"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}], "descriptions": [{"lang": "en", "value": "Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.", "supportingMedia": [{"type": "text/html", "value": "Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:21.704Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1939", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:30:21.704Z", "dateReserved": "2025-03-04T12:29:44.141Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-03-04T13:31:22.881Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DB4CDD0-EC54-43D0-ACB2-F159ABA53D2C", "versionEndExcluding": "136.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability was fixed in Firefox 136."}, {"lang": "es", "value": "Las aplicaciones de Android pueden cargar p\u00e1ginas web mediante la funci\u00f3n Pesta\u00f1as personalizadas. Esta funci\u00f3n admite una animaci\u00f3n de transici\u00f3n que podr\u00eda haberse utilizado para enga\u00f1ar a un usuario y conseguir que otorgara permisos confidenciales ocultando en qu\u00e9 estaba haciendo clic. Esta vulnerabilidad afecta a Firefox < 136."}], "id": "CVE-2025-1939", "lastModified": "2026-04-13T15:16:53.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-04T14:15:38.837", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1928334"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://taptrap.click"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-359"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Tapjacking in Android Custom Tabs using transition animations", "id": "2349798", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349798"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-1021", "details": ["Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking. This vulnerability affects Firefox < 136.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could be used to trick a user into granting sensitive permissions by hiding what the user is actually clicking."], "name": "CVE-2025-1939", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-04T13:31:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1939\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1939\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1928334\nhttps://www.mozilla.org/security/advisories/mfsa2025-14/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.\nThis CVE is specific to Firefox for Android.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-20T18:25:16.723393+00:00", "value": {"mitigation_remediation": ["Update Firefox to version\u202f136 or later on all Android devices that use Custom Tabs.", "If updating is delayed, reduce or disable the use of transition animations in Custom Tabs through application or system settings.", "Educate users to scrutinize permission prompts and avoid granting permissions when the interface does not clearly match the requested action.", "Where feasible, replace Custom Tab usage with a standard WebView that gives developers direct control over UI elements."], "summary": {"action": "Apply patch", "impact": "Unauthorized permission granting via tapjacking"}, "threat_synthesis": {"affected_systems": "This issue affects Firefox applications on Android that employ Custom Tabs, specifically any release prior to Firefox\u202f136. Mobile apps relying on old Firefox Custom Tab integration are vulnerable.", "description_and_impact": "Android applications can use Custom Tabs to display web content and support transition animations that allow attackers to mask the true clickable target. The weakness, classified as CWE-1021 and CWE-359, enables malicious code to mislead a user into granting permissions they did not intend to provide. The impact is that a user might unwittingly consent to sensitive permissions, exposing personal data and potentially allowing further malicious activity.", "risk_and_exploitability": "The CVSS score of 3.9 reflects a low severity, and the EPSS value of <1\u202f% indicates a very small probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is an Android application that loads malicious content in a Custom Tab and uses transition animations to hide the real click target, thereby tricking the user into granting permissions. Given the low severity and exploitation likelihood, the overall risk remains modest but still warrants timely remediation."}}}}, "created": "2026-04-20T18:30:13.980343+00:00", "updated": "2026-04-20T18:30:13.980358+00:00", "vendors": []}