Skip to main content
CVE Vulnerability Database

CVE-2025-0244: Mozilla Firefox XSS Vulnerability

CVE-2025-0244 is an XSS vulnerability in Mozilla Firefox for Android that enables address bar spoofing through invalid protocol redirects. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-0244 Overview

CVE-2025-0244 is an address bar spoofing vulnerability in Mozilla Firefox for Android. When the browser redirects to an invalid protocol scheme, an attacker can manipulate the displayed URL. This allows a malicious page to appear as if it originates from a trusted domain. The flaw is classified as a URL redirection to untrusted site issue [CWE-601] and only affects the Android build of Firefox. Desktop and other operating systems are unaffected. Mozilla fixed the issue in Firefox 134 through security advisory MFSA-2025-01.

Critical Impact

Attackers can spoof the Firefox for Android address bar to make phishing pages appear legitimate, undermining the primary visual trust indicator users rely on.

Affected Products

  • Mozilla Firefox for Android (versions prior to 134)
  • Firefox on Android operating systems only
  • Desktop Firefox and other Firefox ports are not affected

Discovery Timeline

  • 2025-01-07 - CVE-2025-0244 published to the National Vulnerability Database
  • 2025-01-07 - Mozilla publishes advisory MFSA-2025-01 and releases Firefox 134
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-0244

Vulnerability Analysis

The vulnerability resides in how Firefox for Android handles navigation to URLs that use an invalid or unrecognized protocol scheme. When the browser encounters such a redirect, it fails to properly reconcile the address bar contents with the actual origin of the page being rendered. The result is a mismatch between the displayed URL and the true page content, which enables address bar spoofing.

Because the address bar is the primary user-facing indicator of site identity on mobile browsers, this desynchronization can be leveraged for phishing. A victim visiting a crafted page can be shown a URL for a bank, login portal, or corporate site while viewing attacker-controlled content. Mobile users are especially vulnerable because Android Firefox truncates URLs and offers limited certificate inspection compared to desktop.

Root Cause

The root cause is improper input validation and state handling during redirect processing when the target URL contains an unregistered or malformed scheme. Firefox for Android updates the address bar prematurely or fails to clear it when the redirect chain terminates abnormally. This falls under CWE-601, URL redirection to an untrusted site (open redirect), applied to the browser chrome rather than a server-side redirector.

Attack Vector

Exploitation requires no authentication and no user interaction beyond visiting an attacker-controlled link. The attacker hosts a page that issues a navigation to a URL using an invalid protocol scheme. When Firefox for Android processes the redirect, the address bar retains or displays a URL controlled by the attacker while attacker content remains rendered. The attacker then presents credential prompts or fraudulent content under the guise of a trusted domain. See the Mozilla Bug Report #1929584 for reproduction details.

Detection Methods for CVE-2025-0244

Indicators of Compromise

  • Mobile web traffic to pages that issue redirects to unusual or non-standard URI schemes such as fabricated protocol handlers
  • User reports of Firefox Android address bar displaying a domain that does not match the page content or expected destination
  • Phishing landing pages served over HTTP or HTTPS that trigger client-side navigation with malformed scheme identifiers

Detection Strategies

  • Inventory Firefox for Android installations across managed mobile devices and flag any version prior to 134
  • Monitor mobile web gateway logs for redirect chains ending in invalid or uncommon scheme handlers
  • Correlate phishing reports from users of Android Firefox with URL patterns that include non-standard protocol schemes

Monitoring Recommendations

  • Track browser version telemetry from mobile device management (MDM) platforms to confirm patched builds are deployed
  • Alert on outbound DNS or HTTP requests to newly registered domains referenced from mobile browser sessions
  • Log user-submitted phishing reports and cross-reference against URLs that use anomalous scheme prefixes

How to Mitigate CVE-2025-0244

Immediate Actions Required

  • Update Firefox for Android to version 134 or later through the Google Play Store or F-Droid
  • Push the updated Firefox build through mobile device management to enrolled Android devices
  • Notify users of Firefox for Android to verify their browser version and install pending updates

Patch Information

Mozilla resolved the vulnerability in Firefox 134, released alongside advisory MFSA-2025-01. The fix corrects address bar state handling when a navigation targets an invalid protocol scheme. No standalone patch is available; users must upgrade to the fixed Firefox build for Android.

Workarounds

  • Use an alternate Android browser until Firefox can be updated to version 134 or later
  • Instruct users to verify site identity through TLS certificate inspection rather than relying solely on the address bar text
  • Restrict access to sensitive corporate resources on unpatched Firefox for Android builds via conditional access policies
bash
# Verify Firefox for Android version via ADB on a managed device
adb shell dumpsys package org.mozilla.firefox | grep versionName

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.