CVE-2025-3839
Insecure External URL Handling in Epiphany Enables Remote Code Execution
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: Fedora Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| epiphany | epiphany | to 47.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-356 | The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Epiphany web browser allows websites to open external URL handler applications with minimal user interaction and without proper warnings. Malicious websites can exploit this flaw to invoke local applications registered to handle specific URL schemes, potentially leading to code execution on the client device if those handler applications are vulnerable. Essentially, the browser fails to properly gate or warn this action, misleading users and expanding the attack surface from the browser to local applications. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to remote code execution on your device through trusted UI behavior. Malicious websites could trigger vulnerable local applications to run harmful code within your user session, potentially compromising your system's security and privacy. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Epiphany web browser to version 48.1 or later (or 47.5 or later on Linux systems) where the issue has been fixed. Additionally, consider restricting or monitoring the use of external URL handlers to reduce the risk of exploitation. [1]