Login Sign Up

CVE-2025-10859

4.0 MEDIUM

📋 TL;DR

This vulnerability in Firefox for iOS incorrectly shared cookie storage between private (Incognito) and normal browsing sessions, allowing data from private tabs to leak into regular browsing even after closing all private tabs. It affects Firefox for iOS users with versions below 143.1.

💻 Affected Systems

Products:
  • Firefox for iOS
Versions: All versions < 143.1
Operating Systems: iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Firefox for iOS; desktop Firefox and other browsers are not affected. Requires user to have used private browsing mode.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive browsing data (cookies, session tokens, authentication data) from private browsing sessions could be accessed by websites in normal browsing mode, potentially exposing private accounts or activities.

🟠

Likely Case

Websites visited in normal browsing mode could access cookies or session data from previously visited private browsing sessions, compromising privacy expectations.

🟢

If Mitigated

With proper patching, no data leakage occurs between private and normal browsing modes as intended.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires the user to visit malicious websites in normal browsing mode after using private browsing. No authentication bypass or remote code execution involved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 143.1

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-79/

Restart Required: No

Instructions:

1. Open the App Store on your iOS device. 2. Search for Firefox. 3. Tap 'Update' next to Firefox. 4. Wait for the update to complete. 5. Launch Firefox to verify the update.

🔧 Temporary Workarounds

Disable Private Browsing

iOS

Avoid using private browsing mode in Firefox for iOS until patched.

Clear All Cookies After Private Browsing

iOS

Manually clear all cookies and site data after using private browsing sessions.

🧯 If You Can't Patch

  • Use an alternative browser for private browsing sessions.
  • Avoid logging into sensitive accounts while using Firefox for iOS private browsing.

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in Settings > About Firefox. If version is below 143.1, the device is vulnerable.

Check Version:

Open Firefox > Settings > About Firefox

Verify Fix Applied:

After updating, verify version is 143.1 or higher in Settings > About Firefox.

📡 Detection & Monitoring

Log Indicators:

  • No specific log indicators for this privacy leakage vulnerability.

Network Indicators:

  • No specific network indicators; this is a client-side privacy issue.

SIEM Query:

Not applicable for client-side privacy vulnerabilities.

📊 Metadata

CVE ID: CVE-2025-10859
CVSS v3 Score: 4.0 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-359
EPSS Score: 0.02% exploit probability (4.7th percentile)
Published: September 30, 2025
Last Updated: October 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10859, you might also want to check these:

CVE-2022-0482 9.1

This vulnerability in Easy Appointments allows unauthorized actors to access private personal inform...

Same vulnerability type (CWE-359)
CVE-2023-36052 8.6

CVE-2023-36052 is an information disclosure vulnerability in Azure CLI's REST command that allows au...

Same vulnerability type (CWE-359)
CVE-2024-26192 8.2

This vulnerability in Microsoft Edge (Chromium-based) allows an attacker to potentially access sensi...

Same vulnerability type (CWE-359)