CVE-2025-6431Improper Authorization in Mozilla Firefox

CWE-285Improper AuthorizationCWE-20Improper Input Validation8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 84.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedJun 24
Latest updateJun 26

Description

When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

NVDmozilla/firefox< 140.0

🔴Vulnerability Details

3
GHSA
GHSA-jh8f-wj26-59hv: When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so2025-06-26
OSV
CVE-2025-6431: When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so2025-06-24
CVEList
The prompt in Firefox for Android that asks before opening a link in an external application could be bypassed2025-06-24

📋Vendor Advisories

4
Red Hat
firefox: The prompt in Firefox for Android that asks before opening a link in an external application could be bypassed2025-06-24
Red Hat
kernel: platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it2025-01-19
Debian
CVE-2025-6431: firefox - When a link can be opened in an external application, Firefox for Android will, ...2025
Mozilla
Mozilla Foundation Security Advisory 2025-51: CVE-2025-6431
CVE-2025-6431 — Improper Authorization in Mozilla | cvebase