CVE-2025-55031 Overview
CVE-2025-55031 is a critical open redirect vulnerability (CWE-601) affecting Mozilla Firefox for iOS and Focus for iOS that allows malicious web pages to abuse the FIDO: URL scheme to trigger hybrid passkey transport. This vulnerability enables attackers within Bluetooth range to exploit the passkey authentication flow, potentially tricking users into authenticating the attacker's device to their accounts.
The vulnerability stems from improper validation of FIDO: links passed from web content to the iOS operating system. When a user visits a malicious webpage, the attacker can trigger the hybrid passkey transport mechanism without proper authorization, creating an opportunity for a sophisticated phishing attack that targets passkey-based authentication systems.
Critical Impact
An attacker within Bluetooth range can hijack passkey authentication flows to gain unauthorized access to user accounts by exploiting Firefox for iOS's improper handling of FIDO: URL schemes.
Affected Products
- Mozilla Firefox for iOS versions prior to 142
- Mozilla Focus for iOS versions prior to 142
- iOS devices with Bluetooth enabled running vulnerable browser versions
Discovery Timeline
- August 19, 2025 - CVE-2025-55031 published to NVD
- August 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-55031
Vulnerability Analysis
This vulnerability represents a dangerous intersection of URL scheme handling and passkey authentication mechanisms on iOS. The root issue involves Firefox for iOS improperly allowing web content to pass FIDO: links directly to the iOS operating system without adequate validation or user confirmation. The FIDO: URL scheme is designed to facilitate passkey-based authentication, but when exploited, it enables attackers to intercept the hybrid passkey transport flow.
The hybrid passkey transport mechanism allows passkeys stored on one device (such as a smartphone) to authenticate sessions on another device (such as a laptop) via Bluetooth. By triggering this flow from a malicious webpage, an attacker can position their own device to receive the authentication instead of the legitimate target, effectively hijacking the user's credentials.
Root Cause
The vulnerability originates from insufficient input validation in Firefox for iOS's URL scheme handler. The browser fails to properly validate or restrict FIDO: links before passing them to the iOS system for processing. This missing security constraint allows untrusted web content to directly invoke passkey authentication flows, bypassing intended security boundaries between web content and system-level authentication services.
The CWE-601 (URL Redirection to Untrusted Site) classification reflects how the browser redirects sensitive FIDO authentication requests to potentially malicious endpoints without proper verification.
Attack Vector
The attack requires the following conditions to be successful:
- The victim visits a malicious webpage using Firefox for iOS or Focus for iOS (versions prior to 142)
- The attacker must be within Bluetooth range of the victim's device
- The victim's device must have Bluetooth enabled
- The victim must interact with or be tricked by the malicious page into triggering the passkey flow
The malicious page constructs a specially crafted FIDO: link that, when processed by the vulnerable browser, initiates the hybrid passkey transport. The attacker's device, positioned within Bluetooth range, intercepts this authentication request and presents itself as the legitimate target device. If the user proceeds with authentication, their passkey authenticates the attacker's session instead of their own intended session.
For technical details on the vulnerability mechanism, see the Mozilla Bug Report #1979499 and Mozilla Bug Report #1979804.
Detection Methods for CVE-2025-55031
Indicators of Compromise
- Unexpected Bluetooth pairing requests or passkey prompts while browsing web content
- Browser-initiated FIDO authentication requests on unfamiliar or suspicious websites
- User reports of unexpected login confirmations or authentication requests on mobile devices
- Logs showing FIDO: URL scheme invocations from untrusted web origins
Detection Strategies
- Monitor application logs for unusual FIDO: URL scheme handler invocations
- Implement endpoint detection for Firefox for iOS and Focus for iOS versions prior to 142
- Review mobile device management (MDM) logs for browsers running vulnerable versions
- Deploy browser version compliance checks across managed iOS devices
Monitoring Recommendations
- Enable SentinelOne mobile threat detection to identify vulnerable browser versions
- Configure alerts for unexpected passkey authentication attempts
- Monitor network traffic patterns for suspicious web content delivery
- Implement user behavior analytics to detect anomalous authentication flows
How to Mitigate CVE-2025-55031
Immediate Actions Required
- Update Firefox for iOS to version 142 or later immediately
- Update Focus for iOS to version 142 or later immediately
- Advise users to exercise caution when prompted for passkey authentication on unfamiliar websites
- Consider temporarily disabling Bluetooth when not in active use until updates are applied
- Review recent passkey-based authentications for any suspicious activity
Patch Information
Mozilla has released security patches addressing this vulnerability in Firefox for iOS version 142 and Focus for iOS version 142. Organizations should prioritize updating all managed iOS devices running these browsers. Full details are available in the Mozilla Security Advisory MFSA-2025-68 for Firefox and Mozilla Security Advisory MFSA-2025-69 for Focus.
Workarounds
- Temporarily use alternative browsers on iOS until updates are applied
- Disable hybrid passkey transport functionality if device management allows
- Implement network-level controls to restrict access to known malicious domains
- Educate users about the risks of responding to unexpected passkey prompts
# Check Firefox for iOS version via MDM query
# Ensure version is 142 or higher
# Example MDM compliance policy pseudocode
if browser_version < "142"; then
flag_device_non_compliant
notify_user_update_required
fi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
