CVE-2025-11720 β€” User Interface (UI) Misrepresentation of Critical Information in Mozilla Firefox

CWE-451 β€” User Interface (UI) Misrepresentation of Critical Information6 documents6 sources
Severity
8.1HIGHNVD
EPSS
0.0%
top 86.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedOct 14

Description

The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages1 packages

β–ΆNVDmozilla/firefox< 144.0

πŸ”΄Vulnerability Details

3
OSV
CVE-2025-11720: The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname↗2025-10-14
β–Ά
GHSA
GHSA-wjv8-8vf9-mrv8: The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname↗2025-10-14
β–Ά
CVEList
Spoofing risk in Android custom tabs↗2025-10-14
β–Ά

πŸ“‹Vendor Advisories

2
Debian
CVE-2025-11720: firefox - The Firefox and Firefox Focus UI for the Android custom tab feature only showed ...β†—2025
β–Ά
Mozilla
Mozilla Foundation Security Advisory 2025-81: CVE-2025-11720β†—
β–Ά
CVE-2025-11720 β€” Mozilla Firefox vulnerability | cvebase