{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8043", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-07-22T10:14:15.245Z", "datePublished": "2025-07-22T20:49:28.983Z", "dateUpdated": "2026-04-13T14:31:33.345Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "141", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141."}]}], "title": "Incorrect URL truncation", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1970209"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "credits": [{"lang": "en", "value": "alayersattackers"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:33.345Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-07-23T15:05:43.941119Z", "id": "CVE-2025-8043", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T15:15:12.037Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-8043", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-23T15:05:43.941119Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-23T15:06:13.394Z"}}], "cna": {"title": "Incorrect URL truncation", "credits": [{"lang": "en", "value": "alayersattackers"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "141", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1970209"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "descriptions": [{"lang": "en", "value": "Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.", "supportingMedia": [{"type": "text/html", "value": "Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:33.345Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8043", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:33.345Z", "dateReserved": "2025-07-22T10:14:15.245Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-07-22T20:49:28.983Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "8684A46E-D70A-4830-8971-A6DCC360F422", "versionEndExcluding": "141.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "95D506DD-BD9B-4D90-802F-5BE673F1CF14", "versionEndExcluding": "141.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141."}, {"lang": "es", "value": "Las URL truncadas se enfocan incorrectamente al principio en lugar de alrededor del origen. Esta vulnerabilidad afecta a Firefox (versi\u00f3n anterior a la 141) y Thunderbird (versi\u00f3n anterior a la 141)."}], "id": "CVE-2025-8043", "lastModified": "2026-04-13T15:17:12.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-07-22T21:15:51.263", "references": [{"source": "security@mozilla.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1970209"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: thunderbird: Incorrect URL truncation", "id": "2382706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2382706"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-451", "details": ["Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability affects Firefox < 141 and Thunderbird < 141.", "A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue:\nFocus incorrectly truncated URLs towards the beginning instead of around the origin."], "name": "CVE-2025-8043", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/thunderbird-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-07-22T20:49:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8043\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8043\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1970209\nhttps://www.mozilla.org/security/advisories/mfsa2025-56/\nhttps://www.mozilla.org/security/advisories/mfsa2025-61/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-22T01:02:38.025718+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version\u202f141 or later to eliminate the truncation issue.", "Upgrade Thunderbird to the latest available release when a patch is released; until then, avoid using vulnerable versions for browsing.", "Use safe browsing features or install a link\u2011preview extension that accurately displays URLs to mitigate confusion from truncated addresses."], "summary": {"action": "Patch", "impact": "URL truncation leads to misleading address display"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Mozilla Firefox; all releases prior to version\u00a0141 are vulnerable, with the fix applied in Firefox\u00a0141. The Common Platform Enumeration list also includes Thunderbird, but no specific patch version is documented, so older Thunderbird releases remain at potential risk until an update is released.", "description_and_impact": "Mozilla\u2019s browsers incorrectly truncate URLs toward the beginning instead of around the origin. This causes the address shown to omit the true destination and instead display a benign prefix, potentially confusing users about the site they are viewing. The flaw is classified as CWE\u2011451, improper handling of output visible to users, and can undermine user confidence in the browser\u2019s address bar.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a high severity. The EPSS score of less than 1% implies that exploitation is currently rare, and the flaw is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is through the browser UI: an attacker can craft a link that displays a harmless prefix while the actual destination is malicious, potentially enabling social engineering or deceptive browsing experiences."}}}}, "created": "2025-07-23T17:36:00.650272+00:00", "updated": "2026-04-22T01:15:07.299345+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$thunderbird"]}