{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1941", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-03-04T12:29:48.176Z", "datePublished": "2025-03-04T13:31:25.097Z", "dateUpdated": "2026-04-13T14:30:25.557Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "136", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136."}]}], "title": "Lock screen setting bypass in Firefox Focus for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1944665"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}], "credits": [{"lang": "en", "value": "Jurrie Overgoor"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:25.557Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T15:46:47.298162Z", "id": "CVE-2025-1941", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:49:09.046Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-1941", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-04T15:46:47.298162Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:48:24.179Z"}}], "cna": {"title": "Lock screen setting bypass in Firefox Focus for Android", "credits": [{"lang": "en", "value": "Jurrie Overgoor"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "136", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1944665"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}], "descriptions": [{"lang": "en", "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.", "supportingMedia": [{"type": "text/html", "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:25.557Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1941", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:30:25.557Z", "dateReserved": "2025-03-04T12:29:48.176Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-03-04T13:31:25.097Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DB4CDD0-EC54-43D0-ACB2-F159ABA53D2C", "versionEndExcluding": "136.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136."}, {"lang": "es", "value": "En determinadas circunstancias, se podr\u00eda haber omitido una configuraci\u00f3n de usuario que indicaba que Focus deb\u00eda requerir autenticaci\u00f3n antes de su uso (distinto de CVE-2025-0245). Esta vulnerabilidad afecta a Firefox < 136."}], "id": "CVE-2025-1941", "lastModified": "2026-04-13T15:16:53.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-04T14:15:39.063", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1944665"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Lock screen setting bypass in Firefox Focus for Android", "id": "2349785", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349785"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-306", "details": ["Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Under certain circumstances, a user opt-in setting that Focus should require authentication before use could be bypassed (distinct from CVE-2025-0245)."], "name": "CVE-2025-1941", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-04T13:31:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1941\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1941\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1944665\nhttps://www.mozilla.org/security/advisories/mfsa2025-14/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.\nThis CVE is specific to Firefox Focus for Android. No Red Hat products are affected.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-20T18:22:58.563391+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox Focus to version 136 or later on all Android devices.", "If upgrade cannot be performed immediately, uninstall the vulnerable Focus app or disable any authentication\u2011requiring setting until a patched version is available.", "Apply device\u2011wide security controls such as app whitelisting and monitor logs for unauthorized use of Focus features."], "summary": {"action": "Immediate Patch", "impact": "Authentication bypass leading to unauthorized access"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox Focus for Android on all versions prior to 136 are impacted. Versions 136 and later contain the fix. Any device running an earlier build remains vulnerable.", "description_and_impact": "In Firefox Focus for Android, a flaw enables bypassing a user opt\u2011in setting that requires authentication before the app can be used. This removes the intended security barrier, allowing an attacker to access sensitive functionality or data without permission. The weakness is classified as an access control issue (CWE\u2011284) combined with a missing authentication (CWE\u2011306).", "risk_and_exploitability": "The CVSS score of 9.1 marks the vulnerability as severe, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the short term. The issue is not currently listed in the CISA KEV catalog. Exploitation would require local device access or the ability to load malicious content into the Focus app, a plausible scenario on compromised Android devices. Despite the low exploitation probability, the high severity warrants prompt remediation."}}}}, "created": "2026-04-20T18:30:13.979659+00:00", "updated": "2026-04-20T18:30:13.979673+00:00", "vendors": []}