{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-27426", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-02-24T20:03:31.187Z", "datePublished": "2025-03-04T13:31:27.827Z", "dateUpdated": "2026-04-13T14:29:03.195Z"}, "containers": {"cna": {"affected": [{"product": "Firefox for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "136", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136."}]}], "title": "Firefox Mobile iOS Full Address Bar Spoof Using Server-Side Redirect to internal error page", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1933079"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-13/"}], "credits": [{"lang": "en", "value": "Renwa"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:03.195Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-601", "lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T15:31:20.980456Z", "id": "CVE-2025-27426", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:32:13.097Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-27426", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-04T15:31:20.980456Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:32:07.799Z"}}], "cna": {"title": "Firefox Mobile iOS Full Address Bar Spoof Using Server-Side Redirect to internal error page", "credits": [{"lang": "en", "value": "Renwa"}], "affected": [{"vendor": "Mozilla", "product": "Firefox for iOS", "versions": [{"status": "unaffected", "version": "136", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1933079"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-13/"}], "descriptions": [{"lang": "en", "value": "Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136.", "supportingMedia": [{"type": "text/html", "value": "Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:03.195Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27426", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:29:03.195Z", "dateReserved": "2025-02-24T20:03:31.187Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-03-04T13:31:27.827Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DB4CDD0-EC54-43D0-ACB2-F159ABA53D2C", "versionEndExcluding": "136.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "B5415705-33E5-46D5-8E4D-9EBADC8C5705", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL. This vulnerability was fixed in Firefox for iOS 136."}, {"lang": "es", "value": "Sitios web maliciosos que utilicen una redirecci\u00f3n del lado del servidor a una p\u00e1gina de error interno podr\u00edan permitir mostrar una URL falsa para el sitio web. Esta vulnerabilidad afecta a Firefox para iOS < 136."}], "id": "CVE-2025-27426", "lastModified": "2026-04-13T15:16:55.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-04T14:15:39.593", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1933079"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-13/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:20:25.111755+00:00", "value": {"mitigation_remediation": ["Update Firefox for iOS to version 136 or later via the App Store.", "Enable auto\u2011update for the App Store to receive future security patches automatically.", "Exercise caution when clicking links from untrusted sources to prevent malicious redirects."], "summary": {"action": "Patch Update", "impact": "URL Spoofing"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox for iOS is affected, specifically all releases prior to version 136. The issue was addressed and fixed in Firefox for iOS 136, so any device running an older build on iPhone OS is vulnerable. Apple\u2019s iOS platform itself is not the direct target, but the browsers on iOS devices are.", "description_and_impact": "Malicious websites can issue a server\u2011side redirect to an internal error page, causing the address bar to display a spoofed URL. The attacker is subsequently able to lure users into believing they are accessing a legitimate site, which could lead to credential theft or other social\u2011engineering attacks. The vulnerability is an open redirect (CWE\u2011601) and does not provide direct code execution or denial of service, but it enables phishing and deceptive UI behavior.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity, and the EPSS is below 1%, suggesting a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically need to trick a user into visiting a malicious webpage that performs the redirect; the spoofed URL trick is visible to the user, so detection is possible but not guaranteed. Because the flaw involves a server\u2011side redirect, exploitation requires an attacker\u2011controlled website and victim browsing behavior."}}}}, "created": "2026-04-20T18:30:13.977836+00:00", "updated": "2026-04-20T18:30:13.977852+00:00", "vendors": []}