{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9186", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-08-19T15:56:08.382Z", "datePublished": "2025-08-19T20:33:56.025Z", "dateUpdated": "2026-04-13T14:29:47.345Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "142", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability was fixed in Firefox 142.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability was fixed in Firefox 142."}]}], "title": "Spoofing issue in the Address Bar component of Firefox Focus for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1445758"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-64/"}], "credits": [{"lang": "en", "value": "Kevin Brosnan"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:29:47.345Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-20T14:05:05.196379Z", "id": "CVE-2025-9186", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T15:18:36.097Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-9186", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-20T14:05:05.196379Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-20T14:05:09.607Z"}}], "cna": {"title": "Spoofing issue in the Address Bar component of Firefox Focus for Android", "credits": [{"lang": "en", "value": "Kevin Brosnan"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "142", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1445758"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-64/"}], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability affects Firefox < 142.", "supportingMedia": [{"type": "text/html", "value": "Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability affects Firefox < 142.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-10-30T16:11:39.561Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9186", "state": "PUBLISHED", "dateUpdated": "2025-10-30T16:11:39.561Z", "dateReserved": "2025-08-19T15:56:08.382Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-08-19T20:33:56.025Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "9F095AEE-D972-4427-A063-5CA441E4D1A5", "versionEndExcluding": "142.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability was fixed in Firefox 142."}, {"lang": "es", "value": "Problema de suplantaci\u00f3n de identidad en la barra de direcciones de Firefox Focus para Android. Esta vulnerabilidad afecta a Firefox (versi\u00f3n anterior a la 142)."}], "id": "CVE-2025-9186", "lastModified": "2026-04-13T15:17:14.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-19T21:15:31.180", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1445758"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-64/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-451"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T16:50:05.407094+00:00", "value": {"mitigation_remediation": ["Update Firefox Focus to version 142 or later, ensuring the address bar spoofing fix is applied", "If the update cannot be performed immediately, discontinue use of the browser for sensitive interactions until the patch is installed", "When browsing, verify the displayed URL and HTTPS padlock before interacting, especially when encountering unfamiliar sites"], "summary": {"action": "Apply Patch", "impact": "Spoofing of the displayed URL in Firefox Focus for Android, enabling deceptive user interfaces and facilitating phishing attacks"}, "threat_synthesis": {"affected_systems": "Mozilla\u2019s Firefox Focus for Android; specifically any installation running Firefox Focus version 141 or earlier, until the application is updated to version 142 or later.", "description_and_impact": "The Address Bar component in Firefox Focus for Android can display an incorrect or misleading URL, potentially leading users to believe they are on a legitimate site when they are not. This spoofing can undermine user trust and enable phishing or social\u2011engineering attacks, as the user may interact with malicious content based on the falsified address. The vulnerability has been fixed in Firefox 142, so versions prior to that may exhibit the flaw.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The most plausible attack scenario involves malicious web content or compromised network traffic that triggers the address bar to incorrectly display the URL; this inference is drawn from the description of a spoofing issue in the editor component. Attackers would need to embed deceptive content within the browser session to exploit the flaw, making it a local or application\u2011level vector rather than a remote host attack."}}}}, "created": "2025-08-21T12:31:55.987422+00:00", "updated": "2026-04-20T17:00:12.728730+00:00", "vendors": ["google", "google$PRODUCT$android", "mozilla", "mozilla$PRODUCT$firefox"]}