Skip to main content
CVE Vulnerability Database

CVE-2025-1935: Mozilla Firefox XSS Vulnerability

CVE-2025-1935 is an XSS flaw in Mozilla Firefox that allows web pages to trick users into setting malicious sites as default protocol handlers. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-1935 Overview

CVE-2025-1935 affects Mozilla Firefox and Thunderbird. A web page can trick a user into setting the site as the default handler for a custom URL protocol. The flaw is a user interface confusion issue that requires user interaction to succeed.

Mozilla patched the vulnerability in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. The issue is tracked under Mozilla Foundation Security Advisories MFSA-2025-14, MFSA-2025-16, MFSA-2025-17, and MFSA-2025-18. The Common Weakness Enumeration classification is [CWE-79].

Critical Impact

An attacker-controlled page can manipulate protocol handler registration, redirecting future custom-scheme navigations to a malicious site and enabling downstream phishing or credential-harvesting flows.

Affected Products

  • Mozilla Firefox versions prior to 136
  • Mozilla Firefox ESR versions prior to 128.8
  • Mozilla Thunderbird versions prior to 136 and 128.8

Discovery Timeline

  • 2025-03-04 - CVE-2025-1935 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-1935

Vulnerability Analysis

The vulnerability resides in the browser's handling of custom URL protocol handler registration. Firefox and Thunderbird expose an API and prompt flow that lets a web page request registration as the default handler for a custom scheme. A crafted page can manipulate this flow to trick the user into approving the registration without understanding the consequences.

Once approved, the attacker-controlled site becomes the default handler for the targeted custom protocol. Subsequent navigations to URLs using that scheme, from any application that hands off to the browser, route through the attacker's page. This creates a persistent redirection primitive across browsing sessions.

The issue is rooted in user interface confusion classified under [CWE-79]. The attack does not yield code execution or direct data access. Instead, it enables phishing, credential capture, and impersonation of legitimate protocol handlers.

Root Cause

The underlying cause is insufficient clarity and confirmation in the protocol handler registration prompt. The user is not adequately warned about the persistent, cross-session consequences of approving a handler request from a web page. See Mozilla Bug Report #1866661 for technical detail on the fix.

Attack Vector

Exploitation requires a victim to visit an attacker-controlled web page and interact with the handler registration prompt. The attack vector is network-based and requires user interaction. No authentication or elevated privileges are needed on the target system.

The vulnerability is described in prose only because no verified public proof-of-concept has been published. Refer to the Mozilla Security Advisory MFSA-2025-14 for vendor detail.

Detection Methods for CVE-2025-1935

Indicators of Compromise

  • Unexpected entries in the browser's protocol handler configuration, visible under Firefox about:preferences#general in the Applications section.
  • User reports of custom-scheme links (for example web+custom://) opening on unfamiliar third-party sites.
  • Browser telemetry showing registerProtocolHandler API calls from untrusted origins immediately before user-reported redirection issues.

Detection Strategies

  • Inventory installed Firefox and Thunderbird versions across the fleet and flag any instance below Firefox 136, ESR 128.8, or Thunderbird 136 / 128.8.
  • Monitor endpoint telemetry for browser preference file changes, specifically handlers.json in the Firefox profile directory.
  • Correlate proxy and DNS logs for outbound connections to newly registered handler domains following user browsing activity.

Monitoring Recommendations

  • Ingest browser configuration and profile change events into a centralized log platform for review.
  • Alert on modifications to Firefox and Thunderbird profile directories on managed endpoints.
  • Track user-submitted phishing reports involving custom URL schemes and correlate with recent web browsing history.

How to Mitigate CVE-2025-1935

Immediate Actions Required

  • Upgrade Firefox to version 136 or later on all endpoints.
  • Upgrade Firefox ESR to 128.8 or later where extended support release channels are deployed.
  • Upgrade Thunderbird to 136 or 128.8 or later across mail client deployments.
  • Audit existing protocol handler registrations in user profiles and remove entries that map to untrusted domains.

Patch Information

Mozilla addressed the vulnerability in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Patch detail is available in Mozilla Security Advisory MFSA-2025-16, MFSA-2025-17, and MFSA-2025-18. Debian users should apply updates referenced in the Debian LTS Announcement.

Workarounds

  • Deploy enterprise policy to restrict or disable web-initiated protocol handler registration through Firefox policies.json.
  • Educate users to reject protocol handler prompts from unfamiliar web pages.
  • Periodically reset the handlers.json file in managed Firefox profiles to a known-good baseline.
bash
# Firefox enterprise policy example to lock protocol handler behavior
# Path: /etc/firefox/policies/policies.json (Linux) or %ProgramFiles%\Mozilla Firefox\distribution\policies.json (Windows)
{
  "policies": {
    "Preferences": {
      "network.protocol-handler.external.default": {
        "Value": false,
        "Status": "locked"
      }
    }
  }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.