CVE-2025-11720

Spoofing risk in Android custom tabs

CVSS 8.1 HIGHEPSS 0.2%CWE-451

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 Oct 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products

Mozilla · Firefox

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1979534 https://bugzilla.mozilla.org/show_bug.cgi?id=1984370 https://www.mozilla.org/security/advisories/mfsa2025-81/