CVE-2025-8364 Overview
CVE-2025-8364 affects Mozilla Firefox on Android operating systems. A crafted URL using a blob: Uniform Resource Identifier (URI) could hide the true origin of a page, enabling a spoofing attack against users. The flaw maps to [CWE-451: User Interface (UI) Misrepresentation of Critical Information]. Attackers can leverage this weakness to display a URL bar or origin indicator that differs from the actual page origin. Mozilla addressed the issue in Firefox 141. Firefox installations on operating systems other than Android are not affected.
Critical Impact
Attackers can craft blob: URIs that misrepresent page origin in Firefox for Android, enabling phishing and credential theft scenarios against mobile users.
Affected Products
- Mozilla Firefox for Android (versions prior to 141)
- Google Android operating system (Firefox client only)
- Firefox releases prior to the MFSA-2025-56 advisory fix
Discovery Timeline
- 2025-08-19 - CVE-2025-8364 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-8364
Vulnerability Analysis
CVE-2025-8364 is a user interface misrepresentation flaw in Firefox for Android. The browser fails to correctly convey the true origin of a page loaded through a specially crafted blob: Uniform Resource Identifier. Because the origin indicator does not reflect the underlying content source, a remote attacker can present a page that appears to come from a trusted domain. The vulnerability requires user interaction, such as clicking a link or visiting an attacker-controlled page. Confidentiality is not directly impacted, but integrity of the address bar and origin display is compromised. Mozilla tracked the underlying issue in Mozilla Bug #1909609 and Mozilla Bug #1969937.
Root Cause
The root cause lies in how Firefox for Android renders and reports the origin of blob: URIs. blob: URIs reference in-memory binary large objects created by a parent origin. When constructed with specific patterns, the browser's UI logic displays or attributes an origin that does not match the effective security principal of the loaded content. This mismatch produces the spoofing condition described in [CWE-451].
Attack Vector
An attacker delivers a crafted URL to a Firefox for Android user through phishing messages, malicious advertisements, or a compromised website. When the user opens the link, the resulting blob: page loads attacker-controlled content while the origin display suggests a different, often trusted, source. The user may then submit credentials, authentication tokens, or other sensitive data believing they are interacting with a legitimate site. Only Firefox for Android is affected. Desktop Firefox and Firefox on other mobile platforms are not vulnerable, per the Mozilla Security Advisory MFSA-2025-56.
No public proof-of-concept code has been released for this issue. Technical details are described in the referenced Mozilla bug reports.
Detection Methods for CVE-2025-8364
Indicators of Compromise
- Inbound links or messages that contain blob: URI schemes delivered to Android endpoints running Firefox.
- HTTP referrers or telemetry showing Firefox for Android sessions transitioning from external links directly into blob: contexts.
- User reports of address bar content that does not match the visual branding or functionality of the displayed page.
Detection Strategies
- Inspect mobile web traffic logs for anomalous blob: URI usage originating from untrusted domains.
- Correlate phishing report submissions with Firefox for Android user-agent strings to surface targeted campaigns.
- Use mobile threat defense telemetry to identify outdated Firefox for Android versions (prior to 141) present on managed devices.
Monitoring Recommendations
- Track Firefox for Android version distribution across the fleet through Mobile Device Management (MDM) inventory data.
- Monitor secure web gateway and DNS logs for domains known to host credential harvesting pages targeting mobile browsers.
- Alert on user-reported spoofing incidents and route them to phishing response workflows for triage.
How to Mitigate CVE-2025-8364
Immediate Actions Required
- Upgrade Firefox for Android to version 141 or later on all managed and personal devices.
- Push the update through MDM policies or the Google Play managed configuration for enterprise-controlled Android fleets.
- Communicate the risk of blob: URI spoofing to users and reinforce verification of sensitive pages by other means, such as bookmarks.
Patch Information
Mozilla fixed CVE-2025-8364 in Firefox 141. Details are published in the Mozilla Security Advisory MFSA-2025-56. Users and administrators should install the release from Google Play or Mozilla's official distribution channels. Only the Android build required a code change; other platforms did not need an update for this specific issue.
Workarounds
- Use an alternate mobile browser on Android until Firefox is updated to version 141 or later.
- Disable click-through on unsolicited links in messaging and email applications on Android devices.
- Enforce phishing-resistant authentication such as WebAuthn to reduce the impact of credential-based spoofing.
No command-line configuration workaround exists for this issue. The fix is delivered exclusively through the Firefox for Android application update.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

