CVE-2025-8042 β€” Incorrect Permission Assignment in Mozilla Firefox

CWE-732 β€” Incorrect Permission Assignment5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 79.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedAug 19

Description

Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

β–ΆNVDmozilla/firefox< 141.0

πŸ”΄Vulnerability Details

2
CVEList
Sandboxed iframe could start downloads↗2025-08-19
β–Ά
GHSA
GHSA-86q6-8hr2-487f: Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads↗2025-08-19
β–Ά

πŸ“‹Vendor Advisories

2
Debian
CVE-2025-8042: firefox - Firefox for Android allowed a sandboxed iframe without the `allow-downloads` att...β†—2025
β–Ά
Mozilla
Mozilla Foundation Security Advisory 2025-56: CVE-2025-8042β†—
β–Ά
CVE-2025-8042 β€” Incorrect Permission Assignment | cvebase