{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8364", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-07-30T16:10:59.624Z", "datePublished": "2025-08-19T20:52:46.969Z", "dateUpdated": "2026-04-13T14:31:35.465Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "141", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack.\n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack.<br>*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141."}]}], "title": "Address bar spoofing using an blob URI on Firefox for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909609"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1969937"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "credits": [{"lang": "en", "value": "Rifa'i Rejal Maynando and Ameen Basha M K"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:35.465Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T14:03:15.593336Z", "id": "CVE-2025-8364", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T15:17:55.116Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-8364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T14:03:15.593336Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T14:03:19.415Z"}}], "cna": {"title": "Address bar spoofing using an blob URI on Firefox for Android", "credits": [{"lang": "en", "value": "Rifa'i Rejal Maynando and Ameen Basha M K"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "141", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909609"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1969937"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "descriptions": [{"lang": "en", "value": "A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack.\n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141.", "supportingMedia": [{"type": "text/html", "value": "A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack.<br>*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:31:35.465Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8364", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:31:35.465Z", "dateReserved": "2025-07-30T16:10:59.624Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-08-19T20:52:46.969Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "8684A46E-D70A-4830-8971-A6DCC360F422", "versionEndExcluding": "141.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack.\n*Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141."}, {"lang": "es", "value": "Una URL manipulada con un blob: URI podr\u00eda haber ocultado el verdadero origen de la p\u00e1gina, lo que podr\u00eda provocar un ataque de suplantaci\u00f3n de identidad. *Nota: Este problema solo afecta a los sistemas operativos Android. Los dem\u00e1s sistemas operativos no se ven afectados.* Esta vulnerabilidad afecta a Firefox &lt; 141."}], "id": "CVE-2025-8364", "lastModified": "2026-04-13T15:17:13.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-19T21:15:29.510", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1909609"}, {"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1969937"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-56/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:47:53.352159+00:00", "value": {"mitigation_remediation": ["Update Firefox to version\u202f141 or newer on all Android devices.", "Enable automatic updates for Firefox to receive future security patches.", "If an update is not possible, consider using an alternative mobile browser or applying an enterprise policy that blocks blob: URIs to mitigate spoofing risk."], "summary": {"action": "Upgrade", "impact": "Spoofing of address bar"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox for Android operating systems. All Firefox releases prior to 141 on Android devices are affected, as the issue was resolved in Firefox\u00a0141.", "description_and_impact": "A crafted URL using a blob: URI can conceal the true origin of a web page, allowing a malicious actor to present a page that appears to come from a legitimate site while actually originating elsewhere; the vulnerability could be exploited in a phishing or spoofing scenario, potentially misleading users despite no direct code execution or privilege escalation being stated.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a low-moderate risk profile, and the EPSS score of less than 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require a user to open a crafted link or be tricked into interacting with a blob: URI, which suggests the attack vector is likely user\u2011initiated activity such as clicking a malicious link or visiting a tampered web page."}}}}, "created": "2025-08-21T12:31:51.293418+00:00", "updated": "2026-04-20T17:00:12.725653+00:00", "vendors": ["google", "google$PRODUCT$android", "mozilla", "mozilla$PRODUCT$firefox"]}