{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9183", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-08-19T15:56:04.756Z", "datePublished": "2025-08-19T20:33:57.019Z", "dateUpdated": "2026-04-13T14:28:39.668Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.2", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "142", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Address Bar component. This vulnerability was fixed in Firefox 142 and Firefox ESR 140.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spoofing issue in the Address Bar component. This vulnerability was fixed in Firefox 142 and Firefox ESR 140.2."}]}], "title": "Spoofing issue in the Address Bar component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1976102"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-64/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-67/"}], "credits": [{"lang": "en", "value": "Renwa"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:28:39.668Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T14:04:25.912395Z", "id": "CVE-2025-9183", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T15:18:23.255Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-9183", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T14:04:25.912395Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T14:04:31.545Z"}}], "cna": {"title": "Spoofing issue in the Address Bar component", "credits": [{"lang": "en", "value": "Renwa"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "142", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "140.2", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1976102"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-64/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-67/"}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2.", "supportingMedia": [{"type": "text/html", "value": "Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-10-30T16:10:56.186Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9183", "state": "PUBLISHED", "dateUpdated": "2025-10-30T16:10:56.186Z", "dateReserved": "2025-08-19T15:56:04.756Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-08-19T20:33:57.019Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "7C721868-B6F1-444A-B085-A41C1A11DA2A", "versionEndExcluding": "140.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "9F095AEE-D972-4427-A063-5CA441E4D1A5", "versionEndExcluding": "142.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Address Bar component. This vulnerability was fixed in Firefox 142 and Firefox ESR 140.2."}, {"lang": "es", "value": "Problema de suplantaci\u00f3n de identidad en la barra de direcciones. Esta vulnerabilidad afecta a Firefox (versi\u00f3n anterior a 142) y Firefox (versi\u00f3n anterior a 140.2)."}], "id": "CVE-2025-9183", "lastModified": "2026-04-13T15:17:14.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-19T21:15:30.777", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1976102"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-64/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-67/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Spoofing issue in the Address Bar component", "id": "2389582", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2389582"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-451", "details": ["Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Spoofing issue in the Address Bar component."], "name": "CVE-2025-9183", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-08-19T20:33:57Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-9183\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9183\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1976102\nhttps://www.mozilla.org/security/advisories/mfsa2025-64/\nhttps://www.mozilla.org/security/advisories/mfsa2025-67/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-20T16:49:15.649132+00:00", "value": {"mitigation_remediation": ["Upgrade Mozilla Firefox to version\u202f142 or later, or Firefox\u202fESR\u202f140.2 or later, to apply the official fix. ", "If an upgrade is not possible at the moment, install the latest security update provided by Mozilla\u2019s update service to reduce exposure. ", "Until the update is applied, avoid interacting with unfamiliar websites and verify the address bar content before entering sensitive information."], "summary": {"action": "Immediate update", "impact": "Address Bar spoofing"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox is affected, including the standard release and the ESR channel. Any installation of Firefox prior to version 142, and Firefox ESR prior to 140.2, is vulnerable. Later releases contain the fix.", "description_and_impact": "The vulnerability allows an attacker to manipulate the text displayed in the browser\u2019s address bar so that it misleads the user into believing they are interacting with a trusted domain. This can facilitate phishing or social\u2011engineering attacks, compromising the confidentiality of the user\u2019s actions without requiring code execution. The weakness is listed as CWE-451, implicating Impersonation.", "risk_and_exploitability": "The CVSS score of 6.5 reflects moderate severity. EPSS indicates a less than 1% chance of exploitation, and the vulnerability is not yet in the CISA KEV catalog. The likely attack vector involves a malicious website or link that, by forcing the address bar to display a spoofed URL, tricks a user into trusting the site. Successful exploitation depends on user interaction and the user\u2019s willingness to trust the altered address bar. "}}}}, "created": "2025-08-21T12:31:55.146280+00:00", "updated": "2026-04-20T17:00:12.727537+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr"]}