CVE-2025-55031
Published: 19 August 2025
Summary
CVE-2025-55031 is a critical-severity Open Redirect (CWE-601) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in Firefox for iOS prior to version 142 by applying the vendor patch directly prevents malicious FIDO link passing to the OS.
Vulnerability scanning identifies systems running vulnerable Firefox for iOS versions affected by CVE-2025-55031, enabling targeted remediation.
Monitoring security advisories like MFSA 2025-68 and 2025-69 ensures timely awareness of the CVE-2025-55031 patch for Firefox for iOS.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables malicious pages to abuse FIDO/passkey transport (via open redirect), directly facilitating spearphishing links that lead to AiTM-style passkey relay for unauthorized account access.
NVD Description
Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the…
more
attacker's computer into the target account. This vulnerability was fixed in Firefox for iOS 142 and Focus for iOS 142.
Deeper analysisAI
CVE-2025-55031 is a high-severity vulnerability in Firefox for iOS that enables malicious web pages to pass FIDO: links to the iOS operating system, thereby triggering the hybrid passkey transport mechanism. The affected software includes Firefox for iOS and Focus for iOS versions prior to 142. Classified under CWE-601 (URL Redirection to Untrusted Site), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical impact on confidentiality, integrity, and availability.
The attack scenario involves a remote attacker hosting a malicious page accessible via Firefox for iOS. An attacker within Bluetooth range can exploit this to trick the user into authenticating with their passkey, allowing the attacker's computer to log into the target account. No special privileges are required, and the exploit leverages network access with low complexity.
Mozilla has fixed this vulnerability in Firefox for iOS 142 and Focus for iOS 142. Security advisories MFSA 2025-68 and MFSA 2025-69 detail the patch, and practitioners should prioritize updating affected devices. Additional technical details are available in Bugzilla entries 1979499 and 1979804.
Details
- CWE(s)