CVE-2025-14744

MEDIUM
2025-12-18 [email protected]
Mozilla Information Disclosure Apple
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 16:12 vuln.today

DescriptionNVD

Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0.

AnalysisAI

Unicode right-to-left override (RTLO) characters in malicious websites can spoof filenames displayed in Firefox for iOS downloads UI, potentially tricking users into saving files with misleading extensions and types. Affects Firefox for iOS versions prior to 144.0; requires user interaction to download a file. The vulnerability has low real-world exploitation probability (EPSS 0.04%) despite the moderate CVSS score, as it relies on social engineering and user inattention rather than automatic code execution.

Technical ContextAI

This vulnerability exploits Unicode bidirectional text formatting, specifically the right-to-left override (RTLO) character (U+202E), which is part of the Unicode standard used to support mixed-direction text in languages like Arabic and Hebrew. When a malicious website embeds RTLO characters in a filename, the rendering engine in Firefox for iOS's downloads UI reverses the visual order of characters, making a file appear to have a legitimate extension (e.g., 'document.pdf') while actually having a dangerous one (e.g., 'document.exe.pdf' rendered as 'pdf.exe.document'). The root cause is classified as CWE-451 (User Interface (UI) Misrepresentation of Critical Information), indicating a failure to properly sanitize or neutralize special Unicode characters before displaying them in security-sensitive contexts. The affected product is Mozilla Firefox for iOS running on Apple's iPhone OS, identified by CPE cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*.

RemediationAI

Vendor-released patch: Firefox for iOS 144.0 or later. Users should immediately update to Firefox for iOS 144.0 through the Apple App Store. No workarounds are available for earlier versions other than avoiding downloads from untrusted websites or carefully inspecting downloaded filenames before opening files. For more details, refer to the Mozilla Security Advisory MFSA2025-97 at https://www.mozilla.org/security/advisories/mfsa2025-97/ and the bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=1984683.

Share

CVE-2025-14744 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy