CRITICAL🇵🇱 Wersja polska

CVE-2025-55031

CVSS 9.8v3.1pub. 2025-08-19upd. 2026-04-13

Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability was fixed in Firefox for iOS 142 and Focus for iOS 142.

🤖 AI Analysis
How it works

The vulnerability results from improper validation of redirects (CWE-601 — open redirect) in the handling of FIDO: schemes in the Firefox for iOS application. A malicious website could inject a FIDO: link and instruct the operating system to launch hybrid passkey transport based on Bluetooth. An attacker within Bluetooth range of the victim could impersonate a legitimate target device, thereby causing the user to authorize the attacker's session instead of their own.

Impact

The attacker can take full control of the victim's account on the target service, because the user unknowingly authenticates the attacker's login session using their own passkey. This results in a breach of confidentiality and integrity of the protected account.

Mitigation & patch

Firefox for iOS should be immediately updated to version 142 or later, and Firefox Focus for iOS should be updated to version 142 or later. Updates are available through the Apple App Store. Until the update is applied, avoid visiting untrusted websites in environments with Bluetooth enabled.

Who is affected

Firefox for iOS in versions prior to 142 and Firefox Focus for iOS in versions prior to 142.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 142.0
  • Mozilla Firefox Focus

    APP
    Mozilla
    < 142.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...