CVE-2025-54143
Published: 19 August 2025
Summary
CVE-2025-54143 is a critical-severity Protection Mechanism Failure (CWE-693) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2025-54143 is a vulnerability in Firefox for iOS that enables sandboxed iframes on webpages to potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. This protection mechanism failure, mapped to CWE-693, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-08-19.
The vulnerability can be exploited by a remote attacker with no privileges or user interaction required. By hosting a malicious webpage with a sandboxed iframe, the attacker can bypass the parent page's sandbox restrictions, potentially initiating unauthorized downloads to the victim's device and achieving high impacts on confidentiality, integrity, and availability.
Mozilla fixed this issue in Firefox for iOS version 141. Security advisories recommend updating to this version or later to mitigate the vulnerability. Additional details are available in the Mozilla Foundation Security Advisory MFSA 2025-60 at https://www.mozilla.org/security/advisories/mfsa2025-60/ and Bugzilla entry 1912671 at https://bugzilla.mozilla.org/show_bug.cgi?id=1912671.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25230
Vulnerability details
Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page. This vulnerability was fixed in Firefox for iOS 141.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox bypass enables unauthorized downloads (T1105 Ingress Tool Transfer) from malicious web content and supports drive-by compromise (T1189) via browser exploitation without user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires applying the Firefox for iOS 141 patch that fixes the sandbox iframe download bypass in CVE-2025-54143.
Vulnerability monitoring and scanning identifies systems with vulnerable Firefox for iOS versions affected by CVE-2025-54143.
Malicious code protection scans and blocks potentially harmful downloads initiated by the sandbox bypass in CVE-2025-54143.