{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-55032", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-08-05T13:26:34.686Z", "datePublished": "2025-08-19T20:52:50.397Z", "dateUpdated": "2026-04-13T14:28:57.497Z"}, "containers": {"cna": {"affected": [{"product": "Focus for iOS", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "142", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks. This vulnerability was fixed in Focus for iOS 142.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks. This vulnerability was fixed in Focus for iOS 142."}]}], "title": "Focus incorrectly ignores Content-Disposition headers for some MIME types", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1976296"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-69/"}], "credits": [{"lang": "en", "value": "Renwa"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:28:57.497Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-601", "lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T14:00:59.308632Z", "id": "CVE-2025-55032", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T15:16:57.127Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-55032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T14:00:59.308632Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T14:01:03.388Z"}}], "cna": {"title": "Focus incorrectly ignores Content-Disposition headers for some MIME types", "credits": [{"lang": "en", "value": "Renwa"}], "affected": [{"vendor": "Mozilla", "product": "Focus for iOS", "versions": [{"status": "unaffected", "version": "142", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1976296"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-69/"}], "descriptions": [{"lang": "en", "value": "Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks. This vulnerability was fixed in Focus for iOS 142.", "supportingMedia": [{"type": "text/html", "value": "Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks. This vulnerability was fixed in Focus for iOS 142.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:28:57.497Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55032", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:28:57.497Z", "dateReserved": "2025-08-05T13:26:34.686Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-08-19T20:52:50.397Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "667BB2C7-17E5-4D04-AA9A-1CBE726492AF", "versionEndExcluding": "142.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks. This vulnerability was fixed in Focus for iOS 142."}, {"lang": "es", "value": "Focus para iOS no respetar\u00eda un encabezado Content-Disposition de tipo Attachment y mostrar\u00eda incorrectamente el contenido en l\u00ednea, lo que potencialmente permitir\u00eda ataques XSS. Esta vulnerabilidad afecta a Focus para iOS < 142."}], "id": "CVE-2025-55032", "lastModified": "2026-04-13T15:17:03.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-19T21:15:28.470", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1976296"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-69/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:45:13.489727+00:00", "value": {"mitigation_remediation": ["Upgrade Focus for iOS to version 142 or later", "Configure iOS to enforce content\u2011disposition processing for attachments so that inline rendering is prevented", "Check Mozilla\u2019s security advisories regularly for updates and apply them promptly"], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (inline XSS)"}, "threat_synthesis": {"affected_systems": "The affected vendor is Mozilla, product Focus for iOS. Versions prior to the 142 release are vulnerable. The related CPE is cpe:2.3:a:mozilla:firefox_focus:*:*:*:*:*:iphone_os:*:*", "description_and_impact": "Focus for iOS ignores a Content\u2011Disposition header of type attachment for certain MIME types, causing the browser to render the content inline. This flaw allows an attacker to inject and execute JavaScript in the context of the user\u2019s device, a classic cross\u2011site scripting vulnerability classified as CWE\u2011601.", "risk_and_exploitability": "The CVSS score of 6.1 indicates medium severity. The EPSS score (<1%) shows a very low probability of exploitation, and the issue is not listed in the CISA KEV catalog. An attacker would need to supply malicious content that a user opens, relying on the browser rendering the attachment inline. No public exploit code is available, and the mitigation is to update the app, keeping risk moderate overall."}}}}, "created": "2025-08-21T12:31:32.820350+00:00", "updated": "2026-04-20T17:00:12.693957+00:00", "vendors": ["apple", "apple$PRODUCT$ios", "mozilla", "mozilla$PRODUCT$focus_for_ios"]}