{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-23109", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-01-10T21:00:17.659Z", "datePublished": "2025-01-11T03:36:55.235Z", "dateUpdated": "2026-04-13T14:29:26.731Z"}, "containers": {"cna": {"affected": [{"product": "Firefox for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "134", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134."}]}], "title": "Address bar spoofing on iOS using long hostnames", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1419275"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-06/"}], "credits": [{"lang": "en", "value": "Khalil Zhani"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:26.731Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-346", "lang": "en", "description": "CWE-346 Origin Validation Error"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-13T17:38:40.993806Z", "id": "CVE-2025-23109", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-13T17:43:04.023Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-23109", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-13T17:38:40.993806Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346 Origin Validation Error"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-13T17:42:56.845Z"}}], "cna": {"title": "Address bar spoofing on iOS using long hostnames", "credits": [{"lang": "en", "value": "Khalil Zhani"}], "affected": [{"vendor": "Mozilla", "product": "Firefox for iOS", "versions": [{"status": "unaffected", "version": "134", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1419275"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-06/"}], "descriptions": [{"lang": "en", "value": "Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134.", "supportingMedia": [{"type": "text/html", "value": "Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:26.731Z"}}}, "cveMetadata": {"cveId": "CVE-2025-23109", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:29:26.731Z", "dateReserved": "2025-01-10T21:00:17.659Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-01-11T03:36:55.235Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "287CBA5C-D765-4028-A3EE-44AE2589E99E", "versionEndExcluding": "134.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Long hostnames in URLs could be leveraged to obscure the actual host of the website or spoof the website address. This vulnerability was fixed in Firefox for iOS 134."}, {"lang": "es", "value": "Los nombres de host largos en las URL podr\u00edan aprovecharse para ocultar el host real del sitio web o falsificar la direcci\u00f3n del sitio web. Esta vulnerabilidad afecta a Firefox para iOS < 134."}], "id": "CVE-2025-23109", "lastModified": "2026-04-13T15:16:54.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-11T04:15:06.367", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1419275"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-06/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:54:46.523790+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox for iOS to version 134 or later", "Enable automatic updates for the Firefox app to receive future security fixes", "Verify that the browser\u2019s privacy settings are configured to prevent address\u2011bar spoofing by third\u2011party elements"], "summary": {"action": "Apply patch", "impact": "Address bar spoofing"}, "threat_synthesis": {"affected_systems": "Firefox for iOS versions prior to 134 are affected. The vulnerability was addressed in Firefox for iOS 134, so all earlier builds of Firefox for iOS should be considered at risk.", "description_and_impact": "Mozilla Firefox for iOS allows long hostnames in URLs to be displayed in a way that hides the true host, potentially misleading users about the site they are visiting. Based on the description, the vulnerability could be exploited to facilitate phishing or social\u2011engineering attacks that rely on a user's trust in the displayed address. It is an input manipulation flaw (CWE\u2011346) that does not give direct access or code execution but undermines user confidence and could, if a user is tricked into submitting information on a forged address, lead to credential compromise.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity flaw. The EPSS score of less than 1% suggests a low probability of exploitation at this time. The issue is not listed in the CISA KEV catalog. Based on the description, the likely exploitation scenario would involve a malicious site with a very long hostname designed to mislead the address bar display; the attacker would need users to visit such a site, but no further privileges or payloads are required."}}}}, "created": "2026-04-21T00:00:13.391009+00:00", "updated": "2026-04-21T00:00:13.391042+00:00", "vendors": []}