{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8042", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-07-22T10:14:13.121Z", "datePublished": "2025-08-19T20:52:46.674Z", "dateUpdated": "2026-04-13T14:31:31.459Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "141", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Firefox for Android allowed a sandboxed iframe without the <code>allow-downloads</code> attribute to start downloads. This vulnerability was fixed in Firefox 141."}]}], "title": "Sandboxed iframe could start downloads", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1791322"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "credits": [{"lang": "en", "value": "Axel Chong (@Haxatron)"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:31.459Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-732", "lang": "en", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T14:03:29.249302Z", "id": "CVE-2025-8042", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T15:18:01.430Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-8042", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-20T14:03:29.249302Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T14:03:33.799Z"}}], "cna": {"title": "Sandboxed iframe could start downloads", "credits": [{"lang": "en", "value": "Axel Chong (@Haxatron)"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "141", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1791322"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "descriptions": [{"lang": "en", "value": "Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.", "supportingMedia": [{"type": "text/html", "value": "Firefox for Android allowed a sandboxed iframe without the <code>allow-downloads</code> attribute to start downloads. This vulnerability was fixed in Firefox 141.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:31.459Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8042", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:31.459Z", "dateReserved": "2025-07-22T10:14:13.121Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-08-19T20:52:46.674Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "8684A46E-D70A-4830-8971-A6DCC360F422", "versionEndExcluding": "141.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141."}, {"lang": "es", "value": "Firefox para Android permit\u00eda un iframe de la sandbox sin el atributo `allow-downloads` para iniciar descargas. Esta vulnerabilidad afecta a Firefox anterior a la versi\u00f3n 141."}], "id": "CVE-2025-8042", "lastModified": "2026-04-13T15:17:12.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-19T21:15:29.383", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1791322"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:48:07.041150+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version 141 or later.", "If an immediate upgrade is not possible, disable automatic downloads or enforce stricter download policies in the Android device settings.", "For web developers, add the allow-downloads attribute to sandboxed iframes to prevent background download initiation."], "summary": {"action": "Apply Patch", "impact": "Unauthorized download initiation from sandboxed iframes"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox for Android is affected. Versions prior to 141 contain the vulnerability; the issue was fixed in the 141 release. Users running earlier builds are at risk.", "description_and_impact": "Firefox for Android allowed a sandboxed iframe that lacked the allow-downloads attribute to trigger file downloads. This flaw, identified as CWE\u2011732, permits untrusted web content to initiate arbitrary downloads without the user's explicit consent, potentially exposing users to malicious files, phishing, or malware. The impact is the compromise of user data integrity and confidentiality through unwanted downloads and could facilitate further infection or data exfiltration.", "risk_and_exploitability": "The CVSS score of 9.8 classifies the vulnerability as critical. However, the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. It is not listed in CISA's KEV catalog. The likely attack vector is a malicious or compromised web page that embeds a sandboxed iframe without allow-downloads, drawing the user to download malicious payloads. The condition for exploitation requires the victim to view such content in Firefox for Android."}}}}, "created": "2025-08-21T12:31:33.373673+00:00", "updated": "2026-04-20T17:00:12.726255+00:00", "vendors": ["google", "google$PRODUCT$android", "mozilla", "mozilla$PRODUCT$firefox"]}