Skip to main content
CVE Vulnerability Database

CVE-2025-6431: Firefox Android Auth Bypass Vulnerability

CVE-2025-6431 is an authorization bypass vulnerability in Mozilla Firefox for Android that allows attackers to bypass external app prompts. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-6431 Overview

CVE-2025-6431 affects Firefox for Android versions prior to 140. The browser normally prompts users before opening a link in an external application. An attacker could bypass this prompt, causing external applications to be invoked without user confirmation. This exposes users to security vulnerabilities or privacy leaks residing in those external applications. The issue is scoped to the Android build of Firefox and does not affect desktop versions. Mozilla addressed the flaw in Firefox 140 and tracked it under advisory MFSA-2025-51. The weakness is classified as improper authorization [CWE-285].

Critical Impact

Attackers can silently trigger external Android applications through crafted links, bypassing Firefox's user confirmation dialog and enabling downstream exploitation.

Affected Products

  • Mozilla Firefox for Android versions prior to 140
  • Google Android (host operating system)
  • Firefox mobile builds distributed through Android channels

Discovery Timeline

  • 2025-06-24 - CVE-2025-6431 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6431

Vulnerability Analysis

Firefox for Android uses Android's intent system to hand off links to external applications when the URL scheme or host matches a registered handler. By design, the browser presents a confirmation prompt before dispatching the intent. CVE-2025-6431 breaks that control path. An attacker-crafted link can reach the intent dispatch logic without triggering the confirmation dialog, resulting in an unauthorized transition from the browser to an external application. The flaw maps to CWE-285 (Improper Authorization) because the user authorization step is skipped. Mozilla classified it as a mobile-specific issue affecting only the Android product. The EPSS score at time of writing is 0.21%, indicating low observed exploitation likelihood, and no public proof-of-concept exists.

Root Cause

The root cause lies in the logic that governs when the external application prompt is shown. Under specific link constructions, the check that gates intent dispatch is not enforced. This allows the browser to invoke Intent.ACTION_VIEW or a similar handler against a registered external app without user consent. See Mozilla Bug Report #1942716 for the internal tracking record.

Attack Vector

An attacker hosts or delivers a crafted URL through a web page, message, or advertisement. When a Firefox for Android user interacts with the link, the browser dispatches the intent to an external application without prompting. The attacker chains this behavior with vulnerabilities or privacy-sensitive flows in the receiving application, such as deep-link parameter injection, credential handoff, or data exfiltration through URI parameters. User interaction is required to activate the link, but the confirmation prompt that would normally alert the user is absent.

No verified exploitation code is available. Refer to Mozilla Security Advisory MFSA-2025-51 for vendor technical details.

Detection Methods for CVE-2025-6431

Indicators of Compromise

  • Unexpected launches of external Android applications from Firefox browsing sessions with no user-visible prompt
  • Outbound intent traffic to sensitive apps (banking, messaging, password managers) originating from Firefox tabs
  • Access logs on web properties containing crafted deep-link URIs targeting registered Android schemes

Detection Strategies

  • Inventory Firefox for Android installations across managed mobile fleets and flag versions below 140
  • Inspect mobile device management (MDM) telemetry for intent transitions from org.mozilla.firefox to other package names without preceding user dialog events
  • Correlate web proxy logs with URLs containing intent://, custom schemes, or market:// payloads served to Android user agents

Monitoring Recommendations

  • Enable MDM reporting on browser versions and enforce minimum Firefox for Android build 140
  • Monitor Android application launch telemetry for anomalous cross-app activation patterns
  • Track user reports of applications opening unexpectedly while browsing in Firefox

How to Mitigate CVE-2025-6431

Immediate Actions Required

  • Update Firefox for Android to version 140 or later through Google Play or the Mozilla distribution channel
  • Enforce the minimum browser version through MDM policies on corporate mobile devices
  • Communicate the update requirement to users who install Firefox from unmanaged sources

Patch Information

Mozilla fixed CVE-2025-6431 in Firefox 140 for Android. Full remediation details are documented in Mozilla Security Advisory MFSA-2025-51. Desktop Firefox, Firefox ESR, and Thunderbird are not affected and require no action for this issue.

Workarounds

  • Restrict use of Firefox for Android below version 140 on managed devices until the update is applied
  • Advise users to avoid clicking untrusted links inside Firefox for Android until patched
  • Use MDM to restrict which external applications can be launched via intents on corporate profiles
bash
# Verify installed Firefox for Android version via adb
adb shell dumpsys package org.mozilla.firefox | grep versionName

# Expected output for a patched device:
# versionName=140.0 (or later)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.