CVE-2025-3029Authentication Bypass by Spoofing in Mozilla Firefox

CWE-290Authentication Bypass by SpoofingCWE-346Origin Validation Error11 documents8 sources
Severity
7.3HIGHNVD
EPSS
0.7%
top 29.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedApr 1
Latest updateJul 22

Description

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages3 packages

NVDmozilla/firefox< 128.9.0+1
NVDmozilla/thunderbird129.0137.0+1
Debianmozilla/thunderbird< 1:128.9.0esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-799g-3g44-3g9m: A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack2025-04-01
OSV
CVE-2025-3029: A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack2025-04-01
CVEList
URL Bar Spoofing via non-BMP Unicode characters2025-04-01

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
firefox: thunderbird: URL Bar Spoofing via non-BMP Unicode characters2025-04-01
Debian
CVE-2025-3029: firefox - A crafted URL containing specific Unicode characters could have hidden the true ...2025
Mozilla
Mozilla Foundation Security Advisory 2025-22: CVE-2025-3029
Mozilla
Mozilla Foundation Security Advisory 2025-20: CVE-2025-3029
CVE-2025-3029 — Authentication Bypass by Spoofing | cvebase