{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5020", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-05-21T01:18:07.391Z", "datePublished": "2025-05-21T17:18:08.510Z", "dateUpdated": "2026-04-13T14:30:18.166Z"}, "containers": {"cna": {"affected": [{"product": "Firefox for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "139", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139."}]}], "title": "Links using non-HTTP schemes opened from other apps such as Safari could have allowed spoofing of website addresses", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1951558"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-39/"}], "credits": [{"lang": "en", "value": "James Lee"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:18.166Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-939", "lang": "en", "description": "CWE-939 Improper Authorization in Handler for Custom URL Scheme"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-21T18:58:50.193524Z", "id": "CVE-2025-5020", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T19:00:28.104Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-5020", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-21T18:58:50.193524Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-939", "description": "CWE-939 Improper Authorization in Handler for Custom URL Scheme"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-21T19:00:22.263Z"}}], "cna": {"title": "Links using non-HTTP schemes opened from other apps such as Safari could have allowed spoofing of website addresses", "credits": [{"lang": "en", "value": "James Lee"}], "affected": [{"vendor": "Mozilla", "product": "Firefox for iOS", "versions": [{"status": "unaffected", "version": "139", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1951558"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-39/"}], "descriptions": [{"lang": "en", "value": "Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.", "supportingMedia": [{"type": "text/html", "value": "Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:18.166Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5020", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:30:18.166Z", "dateReserved": "2025-05-21T01:18:07.391Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-05-21T17:18:08.510Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "97B66B67-3CD5-4D3F-82E2-7ADA95570AB3", "versionEndExcluding": "139.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139."}, {"lang": "es", "value": "La apertura de URL manipuladas con fines maliciosos en Firefox desde otras aplicaciones como Safari podr\u00eda haber permitido a los atacantes falsificar direcciones de sitios web si las URL utilizaban esquemas que no fueran HTTP utilizados internamente por el cliente Firefox iOS. Esta vulnerabilidad afecta a Firefox para iOS < 139."}], "id": "CVE-2025-5020", "lastModified": "2026-04-13T15:17:03.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-21T18:15:53.840", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1951558"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-39/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-939"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:31:03.061833+00:00", "value": {"mitigation_remediation": ["Install Firefox for iOS 139 or later to receive the fix for non\u2011HTTP scheme spoofing.", "Avoid opening or allowing links with non\u2011HTTP schemes from other applications; only click standard http or https URLs.", "If upgrading immediately is not possible, restrict or disable external applications from launching Firefox with custom URL schemes through device settings."], "summary": {"action": "Apply Patch", "impact": "URL address spoofing that can trick users into believing they are visiting legitimate sites"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox for iOS versions prior to 139 are impacted. The security fix was included in the 139 release and later versions. Users of older builds should verify their application version to determine if the issue remains present.", "description_and_impact": "The vulnerability allows maliciously crafted URLs that use non-HTTP schemes to be opened in Firefox for iOS from other applications such as Safari. By leveraging these internal schemes, an attacker can trick users into seeing a forged website address. Based on the description, it is inferred that such spoofing could be used for phishing or social\u2011engineering, although this is not explicitly stated. This flaw is classified under CWE\u2011939 and affects the trust model of the URL bar and the user\u2019s perception of site authenticity.", "risk_and_exploitability": "The CVSS score of 4.3 denotes moderate risk, while an EPSS score of <\u202f1\u202f% indicates a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting no widespread or known active exploits. Exploitation likely requires the attacker to supply a malicious link in another app that then directs Firefox to open a non\u2011HTTP scheme. The CVE description does not mention remote code execution or other destructive actions."}}}}, "created": "2026-04-20T20:45:16.929020+00:00", "updated": "2026-04-20T20:45:16.929029+00:00", "vendors": []}