CVE-2025-8042
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-08-19
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | * | |
| mozilla | firefox | From 60.9.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Firefox for Android allows a sandboxed iframe that does not have the 'allow-downloads' attribute to start downloads, which it should not be permitted to do. This affects versions of Firefox for Android earlier than 141.
How can this vulnerability impact me? :
An attacker could exploit this vulnerability to initiate downloads without user consent or proper permissions, potentially leading to unwanted or malicious files being downloaded onto the user's device.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70