CRITICAL🇵🇱 Wersja polska

CVE-2025-8043

CVSS 9.8v3.1pub. 2025-07-22upd. 2026-04-13

Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability was fixed in Firefox 141.

🤖 AI Analysis
How it works

The vulnerability (CWE-451 — User Interface Misrepresentation of Critical Information) occurs because when a URL is too long to fit in the address bar, the Focus mechanism truncated it from the beginning of the string instead of preserving and exposing the part containing the origin (domain). As a result, the user sees a URL fragment that does not reflect the actual server domain, which can be exploited by an attacker to conduct a spoofing attack — the victim believes they are on a trusted site when they are actually on a domain controlled by the attacker.

Impact

An attacker can trick a user into believing they are visiting a trusted website, which opens the door to credential theft (phishing) or other identity spoofing attacks.

Mitigation & patch

Mozilla Firefox should be updated to version 141 or newer. For Mozilla Thunderbird, patches available from the vendor should be applied according to the references (https://www.mozilla.org/security/advisories/mfsa2025-56/)

Who is affected

Mozilla Firefox in versions prior to 141; according to the description, the vulnerability also affects Mozilla Thunderbird — specific versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 141.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 141.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...