CVE-2025-6428 Overview
CVE-2025-6428 is an open redirect vulnerability affecting Firefox for Android. When a URL is supplied through a link querystring parameter, the browser follows the attacker-controlled URL instead of the legitimate destination. This behavior enables phishing attacks by leveraging the trust users place in known links. The flaw is categorized under [CWE-601] URL Redirection to Untrusted Site. Only Firefox for Android is affected; desktop and other Firefox variants are not impacted. Mozilla fixed the issue in Firefox 140 as documented in Mozilla Security Advisory MFSA-2025-51.
Critical Impact
Attackers can craft links that appear legitimate but silently redirect Firefox for Android users to phishing pages, enabling credential theft and social engineering campaigns.
Affected Products
- Mozilla Firefox for Android (versions prior to 140)
- Google Android platform hosting vulnerable Firefox builds
- Mobile deployments relying on Firefox as the default browser
Discovery Timeline
- 2025-06-24 - CVE-2025-6428 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-6428
Vulnerability Analysis
CVE-2025-6428 is an open redirect flaw in Firefox for Android. The browser accepts a URL passed inside a link querystring parameter and navigates to that URL instead of the intended target. This bypasses the user's expectation that clicking a link on a trusted domain will keep them on that domain. Attackers can host links that display a legitimate origin while redirecting victims to attacker-controlled infrastructure. The vulnerability requires user interaction, typically clicking a crafted link. Successful exploitation supports phishing scenarios such as credential harvesting, malicious download prompts, and OAuth consent abuse.
Root Cause
The root cause is improper validation of the URL supplied through the link querystring parameter. Firefox for Android trusts the parameter value and treats it as the navigation target without confirming the destination matches the originating context. This falls under [CWE-601] URL Redirection to Untrusted Site (Open Redirect).
Attack Vector
The attack vector is network-based and requires user interaction. An attacker publishes or distributes a URL containing a querystring parameter with an attacker-controlled destination. When a Firefox for Android user clicks the link, the browser follows the querystring URL rather than the anchored URL. The victim lands on a phishing page that may impersonate a trusted service. See the Mozilla Bug Report #1970151 for the underlying bug tracker discussion.
Detection Methods for CVE-2025-6428
Indicators of Compromise
- Outbound HTTP requests from Firefox for Android to domains that differ from the anchor text or displayed link
- Web proxy or DNS logs showing navigation to newly registered or low-reputation domains immediately after a click on a trusted site
- User reports of unexpected redirects when clicking links inside Firefox for Android
Detection Strategies
- Inspect proxy and secure web gateway logs for URLs containing embedded absolute URLs in querystring parameters
- Correlate referrer chains where the referring host does not match the destination host to surface open redirect abuse
- Flag Firefox for Android user agents navigating to known phishing or typosquatting infrastructure
Monitoring Recommendations
- Track Firefox for Android version telemetry across managed mobile devices to identify builds below version 140
- Alert on phishing kit indicators, credential submission endpoints, and OAuth consent screens reached from mobile Firefox sessions
- Feed threat intelligence on active phishing domains into mobile browser filtering and DNS security layers
How to Mitigate CVE-2025-6428
Immediate Actions Required
- Update Firefox for Android to version 140 or later on all managed and personal devices
- Enforce mobile application patch policies through mobile device management (MDM) to ensure browser updates are applied automatically
- Educate users about verifying the final destination of links, especially on mobile where the address bar is easy to overlook
Patch Information
Mozilla addressed CVE-2025-6428 in Firefox 140. Details are available in Mozilla Security Advisory MFSA-2025-51 and the associated Mozilla Bug Report #1970151. Users should install the update through the Google Play Store or Mozilla's distribution channels.
Workarounds
- Use an alternate mobile browser on Android until the Firefox update is applied
- Block or rewrite outbound URLs containing suspicious querystring redirect parameters at the network egress or secure web gateway layer
- Deploy DNS filtering to block known phishing domains that leverage open redirect chains
# Configuration example: block URLs with embedded redirect parameters at the proxy layer
# Example Squid ACL to flag querystring-based open redirects
acl open_redirect url_regex -i (\?|&)(url|redirect|next|link|target|dest|destination)=https?%3a%2f%2f
http_access deny open_redirect
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

