Mozilla Foundation Security Advisory 2025-13

Security Vulnerabilities fixed in Firefox for iOS 136

Announced

February 24, 2025

Impact

high

Products

Firefox for iOS

Fixed in

Firefox for iOS 136

#CVE-2025-27426: Firefox Mobile iOS Full Address Bar Spoof Using Server-Side Redirect to internal error page

Reporter: Renwa
Impact: high

Description

Malicious websites utilizing a server-side redirect to an internal error page could result in a spoofed website URL

References

Bug 1933079

#CVE-2025-27424: Firefox Mobile iOS Address Bar Spoof Using Server-Side Redirect to non-http Scheme

Reporter: Renwa
Impact: moderate

Description

Websites redirecting to a non-HTTP scheme URL could allow a website address to be spoofed for a malicious page

References

Bug 1945392

#CVE-2025-27425: QR code user confirmation bypass with invalid protocol

Reporter: Abhinav Khanna
Impact: low

Description

Scanning certain QR codes that included text with a website URL could allow the URL to be opened without presenting the user with a confirmation alert first

References

Bug 1941525

Firefox for Desktop

Firefox for iOS

Firefox for Android

Firefox Focus

Firefox blog

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Fakespot

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Innovation Projects

Blog

Mozilla Foundation

Mozilla.ai

Mozilla Ventures

Mozilla Advertising

Mozilla Builders

Mozilla Foundation Security Advisory 2025-13

Security Vulnerabilities fixed in Firefox for iOS 136

#CVE-2025-27426: Firefox Mobile iOS Full Address Bar Spoof Using Server-Side Redirect to internal error page

Description

References

#CVE-2025-27424: Firefox Mobile iOS Address Bar Spoof Using Server-Side Redirect to non-http Scheme

Description

References

#CVE-2025-27425: QR code user confirmation bypass with invalid protocol

Description

References