CVE-2025-1940
Published: 04 March 2025
Summary
CVE-2025-1940 is a high-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Mozilla Firefox. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique User Execution (T1204); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through applying the Firefox 136 patch directly eliminates the UI vulnerability where a select option obscures the external app launch confirmation prompt.
Vulnerability scanning identifies unpatched Android Firefox versions susceptible to CVE-2025-1940, enabling targeted remediation to prevent exploitation.
Monitoring vendor security advisories like MFSA 2025-14 provides specific guidance on this Android Firefox UI issue, facilitating proactive patching and mitigation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The UI flaw obscures confirmation prompts for external app launches, directly enabling adversaries to trick users into unintended execution via crafted web content.
NVD Description
A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. *This issue only affects Android versions of Firefox.*. This vulnerability was…
more
fixed in Firefox 136.
Deeper analysisAI
CVE-2025-1940 is a user interface vulnerability affecting only Android versions of Firefox, where a select option could partially obscure the confirmation prompt displayed before launching external applications. This flaw enables tricking users into unexpectedly launching an external app. Published on 2025-03-04, it is linked to CWE-1021 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N).
A remote attacker with no privileges can exploit this over the network with low attack complexity by crafting content that positions a select element to hide critical parts of the confirmation dialog. Exploitation requires user interaction, such as the victim confirming an action they do not fully perceive. Success leads to the unintended launch of an external app, resulting in high confidentiality impact and low integrity impact.
Mozilla fixed this vulnerability in Firefox 136. Mitigation details are available in the Mozilla Foundation Security Advisory MFSA 2025-14 at https://www.mozilla.org/security/advisories/mfsa2025-14/ and the related Bugzilla entry at https://bugzilla.mozilla.org/show_bug.cgi?id=1908488.
Details
- CWE(s)