{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-55029", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-08-05T13:26:34.685Z", "datePublished": "2025-08-19T20:52:50.120Z", "dateUpdated": "2026-04-13T14:31:53.669Z"}, "containers": {"cna": {"affected": [{"product": "Firefox for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "142", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142."}]}], "title": "Malicious scripts could spam popups for denial of service attacks", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1973577"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-68/"}], "credits": [{"lang": "en", "value": "Bharat"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:53.669Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T14:01:16.946660Z", "id": "CVE-2025-55029", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T15:17:05.592Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-55029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T14:01:16.946660Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T14:01:20.734Z"}}], "cna": {"title": "Malicious scripts could spam popups for denial of service attacks", "credits": [{"lang": "en", "value": "Bharat"}], "affected": [{"vendor": "Mozilla", "product": "Firefox for iOS", "versions": [{"status": "unaffected", "version": "142", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1973577"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-68/"}], "descriptions": [{"lang": "en", "value": "Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142.", "supportingMedia": [{"type": "text/html", "value": "Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:53.669Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55029", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:53.669Z", "dateReserved": "2025-08-05T13:26:34.685Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-08-19T20:52:50.120Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "7EE372C2-99CB-45F5-9F6B-0862D02C6374", "versionEndExcluding": "142.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks. This vulnerability was fixed in Firefox for iOS 142."}, {"lang": "es", "value": "Los scripts maliciosos podr\u00edan eludir el bloqueador de ventanas emergentes para enviar spam a nuevas pesta\u00f1as, lo que podr\u00eda provocar ataques de denegaci\u00f3n de servicio. Esta vulnerabilidad afecta a Firefox para iOS < 142."}], "id": "CVE-2025-55029", "lastModified": "2026-04-13T15:17:02.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-19T21:15:28.090", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1973577"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-68/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:45:27.097816+00:00", "value": {"mitigation_remediation": ["Update Firefox for iOS to version\u00a0142 or later. ", "Enable the browser\u2019s popup blocker, which provides partial protection when the script is blocked. ", "Avoid visiting or interacting with untrusted web content and consider installing reputable content blockers on iOS."], "summary": {"action": "Patch", "impact": "Denial of Service via popup spam"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox for iOS versions earlier than 142 are affected. The fix was implemented in Firefox for iOS 142, so all users on 141 and earlier are vulnerable.", "description_and_impact": "Malicious scripts can bypass Firefox for iOS\u2019s popup blocker to open many new tabs, which can consume system resources and render the browser unusable. The weakness is a resource exhaustion flaw (CWE-400) that leads to denial of service.", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity condition. The EPSS score of less than 1% shows a very low probability of observed exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to inject a malicious script into a web page or local content that the target user opens, or otherwise get the script executed in the browser context, to trigger the popup spam. The exploit path requires the user to load the compromised content; no remote code execution or elevated privileges are required. The impact is limited to the client\u2019s device resources, though repeated attacks could degrade the browsing experience over time."}}}}, "created": "2025-08-21T12:31:53.376177+00:00", "updated": "2026-04-20T17:00:12.707131+00:00", "vendors": ["apple", "apple$PRODUCT$ios", "mozilla", "mozilla$PRODUCT$firefox_for_ios"]}