{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-54144", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-07-17T02:35:52.285Z", "datePublished": "2025-08-19T20:52:47.918Z", "dateUpdated": "2026-04-13T14:30:54.598Z"}, "containers": {"cna": {"affected": [{"product": "Firefox for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "141", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link. This vulnerability was fixed in Firefox for iOS 141.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link. This vulnerability was fixed in Firefox for iOS 141."}]}], "title": "Internal Firefox open-text URL scheme allowed loading of arbitrary URLs", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1946062"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-60/"}], "credits": [{"lang": "en", "value": "James Lee"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:54.598Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-601", "lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T14:02:41.412213Z", "id": "CVE-2025-54144", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T15:17:40.281Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-54144", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T14:02:41.412213Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T14:02:45.556Z"}}], "cna": {"title": "Internal Firefox open-text URL scheme allowed loading of arbitrary URLs", "credits": [{"lang": "en", "value": "James Lee"}], "affected": [{"vendor": "Mozilla", "product": "Firefox for iOS", "versions": [{"status": "unaffected", "version": "141", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1946062"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-60/"}], "descriptions": [{"lang": "en", "value": "The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link. This vulnerability was fixed in Firefox for iOS 141.", "supportingMedia": [{"type": "text/html", "value": "The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link. This vulnerability was fixed in Firefox for iOS 141.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:54.598Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54144", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:30:54.598Z", "dateReserved": "2025-07-17T02:35:52.285Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-08-19T20:52:47.918Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "49B2D080-DBF5-4711-8563-B24D688F8B31", "versionEndExcluding": "141.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link. This vulnerability was fixed in Firefox for iOS 141."}, {"lang": "es", "value": "El esquema de URL utilizado por Firefox para facilitar la b\u00fasqueda de consultas de texto podr\u00eda permitir incorrectamente a los atacantes abrir URL de sitios web arbitrarios o p\u00e1ginas internas si un usuario fue enga\u00f1ado para hacer clic en un enlace. Esta vulnerabilidad afecta a Firefox para iOS < 141."}], "id": "CVE-2025-54144", "lastModified": "2026-04-13T15:17:02.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-19T21:15:27.710", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1946062"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-60/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:47:11.621827+00:00", "value": {"mitigation_remediation": ["Install Firefox for iOS version 141 or later via the App Store", "Enable automatic updates for Firefox to ensure timely receipt of security patches", "Instruct users to be cautious of unexpected links and avoid clicking them unless the source is verified"], "summary": {"action": "Update Firefox", "impact": "Open arbitrary URLs from malicious links"}, "threat_synthesis": {"affected_systems": "All builds of Firefox for iOS released before version 141 are affected; the vulnerability was addressed in update 141. Users must ensure they are running a patched version of the browser on iOS devices.", "description_and_impact": "Firefox for iOS uses an internal \"open-text\" URL scheme that, when malformed, can be exploited to load any arbitrary webpage or internal application page. This allows an attacker to deceive a user into navigating to a malicious site or executing unintended internal actions, potentially leading to phishing or compromise of user data. The weakness is classified as CWE\u2011601 (Open Redirect). The impact is moderate, affecting confidentiality and integrity of user sessions but not granting direct code execution.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. EPSS is below 1%, showing a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack requires user interaction: the victim must click a link crafted by the attacker. While the risk is not high, it remains noteworthy especially when users receive unsolicited or suspicious links."}}}}, "created": "2025-08-21T12:31:33.096267+00:00", "updated": "2026-04-20T17:00:12.724906+00:00", "vendors": ["apple", "apple$PRODUCT$ios", "mozilla", "mozilla$PRODUCT$firefox_for_ios"]}