CVE-2025-6428

| EUVD-2025-28735 MEDIUM
2025-06-24 [email protected]
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-28735
PoC Detected
Jul 03, 2025 - 16:42 vuln.today
Public exploit code
CVE Published
Jun 24, 2025 - 13:15 nvd
MEDIUM 4.3

Tags

Google Mozilla Open Redirect Ubuntu Debian Firefox Android Redhat Suse

Description

When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.

Analysis

When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140.

Technical Context

An open redirect vulnerability allows attackers to redirect users from a trusted domain to an arbitrary external URL through manipulation of redirect parameters. This vulnerability is classified as URL Redirection to Untrusted Site (Open Redirect) (CWE-601).

Affected Products

Affected products: Mozilla Firefox

Remediation

Validate redirect URLs against a whitelist of allowed destinations. Use relative URLs for redirects. Warn users before redirecting to external sites.

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +22
POC: +20

Vendor Status

Ubuntu

Priority: Medium
firefox
Release Status Version
jammy not-affected code not present
noble not-affected code not present
oracular not-affected code not present
plucky not-affected code not present
upstream not-affected debian: Android-specific
questing not-affected code not present
thunderbird
Release Status Version
noble not-affected code not present
oracular not-affected code not present
plucky not-affected code not present
upstream needs-triage -
jammy not-affected code not present
questing not-affected code not present
mozjs38
Release Status Version
bionic needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs52
Release Status Version
bionic ignored -
focal ignored -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs68
Release Status Version
focal ignored -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs78
Release Status Version
jammy ignored -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs91
Release Status Version
jammy ignored -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs102
Release Status Version
jammy ignored -
noble ignored -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs115
Release Status Version
jammy DNE -
noble ignored -
oracular ignored -
plucky ignored -
upstream needs-triage -
questing DNE -

Debian

firefox
Release Status Fixed Version Urgency
sid fixed 148.0.2-1 -
(unstable) not-affected - -

Share

CVE-2025-6428 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy