Cyber Resilience

CVE-2025-55031

Critical

Published: 19 August 2025

Published
19 August 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55031 is a critical-severity Open Redirect (CWE-601) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-55031 is a high-severity vulnerability in Firefox for iOS that enables malicious web pages to pass FIDO: links to the iOS operating system, thereby triggering the hybrid passkey transport mechanism. The affected software includes Firefox for iOS and Focus for iOS versions prior to 142. Classified under CWE-601 (URL Redirection to Untrusted Site), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical impact on confidentiality, integrity, and availability.

The attack scenario involves a remote attacker hosting a malicious page accessible via Firefox for iOS. An attacker within Bluetooth range can exploit this to trick the user into authenticating with their passkey, allowing the attacker's computer to log into the target account. No special privileges are required, and the exploit leverages network access with low complexity.

Mozilla has fixed this vulnerability in Firefox for iOS 142 and Focus for iOS 142. Security advisories MFSA 2025-68 and MFSA 2025-69 detail the patch, and practitioners should prioritize updating affected devices. Additional technical details are available in Bugzilla entries 1979499 and 1979804.

EU & UK References

Vulnerability details

Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the…

more

attacker's computer into the target account. This vulnerability was fixed in Firefox for iOS 142 and Focus for iOS 142.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability enables malicious pages to abuse FIDO/passkey transport (via open redirect), directly facilitating spearphishing links that lead to AiTM-style passkey relay for unauthorized account access.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0244Same product: Mozilla Firefox
CVE-2026-8945Same product: Mozilla Firefox
CVE-2026-2634Same product: Mozilla Firefox
CVE-2026-4728Same product: Mozilla Firefox
CVE-2026-4712Same product: Mozilla Firefox
CVE-2026-4698Same product: Mozilla Firefox
CVE-2026-4700Same product: Mozilla Firefox
CVE-2026-4693Same product: Mozilla Firefox
CVE-2026-24869Same product: Mozilla Firefox
CVE-2026-4701Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 142.0
mozilla
firefox focus
≤ 142.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in Firefox for iOS prior to version 142 by applying the vendor patch directly prevents malicious FIDO link passing to the OS.

detect

Vulnerability scanning identifies systems running vulnerable Firefox for iOS versions affected by CVE-2025-55031, enabling targeted remediation.

detect

Monitoring security advisories like MFSA 2025-68 and 2025-69 ensures timely awareness of the CVE-2025-55031 patch for Firefox for iOS.

References