Login Sign Up

CVE-2025-10535

7.5 HIGH

📋 TL;DR

This vulnerability in Firefox for Android's Privacy component allows attackers to bypass privacy protections and access sensitive information that should be restricted. It affects all Firefox for Android users running versions below 143. The issue involves improper handling of privacy controls that could leak user data.

💻 Affected Systems

Products:
  • Firefox for Android
Versions: All versions < 143
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Firefox for Android, not desktop Firefox or other browsers. Privacy features like Enhanced Tracking Protection may be bypassed.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive user data including browsing history, saved credentials, or private information that should be protected by Firefox's privacy features.

🟠

Likely Case

Malicious websites or apps could bypass privacy restrictions to collect user browsing data and behavior patterns without proper consent.

🟢

If Mitigated

With proper browser security settings and updated versions, the risk is limited to potential data leakage from specific privacy bypass scenarios.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation likely requires user interaction (visiting malicious website) but doesn't require authentication. The vulnerability bypasses privacy controls rather than requiring complex exploitation chains.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox for Android 143

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-73/

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for Firefox 3. Check if update to version 143+ is available 4. Tap Update 5. Restart Firefox after update completes

🔧 Temporary Workarounds

Disable JavaScript

android

Temporarily disable JavaScript to reduce attack surface while waiting for update

about:config → javascript.enabled → false

Use Private Browsing Mode

android

Private browsing mode may limit data exposure from this vulnerability

Tap menu → New Private Tab

🧯 If You Can't Patch

  • Switch to alternative mobile browser until Firefox can be updated
  • Avoid visiting untrusted websites and clear browsing data regularly

🔍 How to Verify

Check if Vulnerable:

Open Firefox for Android → Menu → Settings → About Firefox → Check version number

Check Version:

about:

Verify Fix Applied:

Verify Firefox version is 143 or higher in About Firefox settings

📡 Detection & Monitoring

Log Indicators:

  • Unusual privacy setting changes
  • Multiple privacy-related permission requests

Network Indicators:

  • Suspicious data exfiltration to unknown domains
  • Unexpected cross-origin requests

SIEM Query:

source="firefox_android" AND (event="privacy_violation" OR event="data_leak")

📊 Metadata

CVE ID: CVE-2025-10535
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-200
EPSS Score: 0.04% exploit probability (9.8th percentile)
Published: September 16, 2025
Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10535, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)