Login Sign Up

CVE-2025-54145

9.1 CRITICAL

📋 TL;DR

This vulnerability in Firefox for iOS allows malicious websites to be opened automatically when users scan QR codes containing specially crafted URLs. Attackers can trick users into scanning QR codes that exploit Firefox's open-text URL scheme to launch arbitrary websites. Only Firefox for iOS versions below 141 are affected.

💻 Affected Systems

Products:
  • Firefox for iOS
Versions: All versions < 141
Operating Systems: iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Firefox for iOS mobile browser; desktop Firefox and other browsers are not affected.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be redirected to phishing sites, malware distribution pages, or sites that exploit other browser vulnerabilities, potentially leading to credential theft, malware installation, or further compromise.

🟠

Likely Case

Attackers use social engineering to trick users into scanning malicious QR codes, redirecting them to phishing sites or unwanted content.

🟢

If Mitigated

With updated Firefox versions and user awareness training, impact is limited to inconvenience from unwanted website openings.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (scanning QR code) but no authentication. Social engineering makes this practical for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox for iOS 141

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-60/

Restart Required: Yes

Instructions:

1. Open the App Store on iOS. 2. Search for Firefox. 3. Tap Update to install version 141 or higher. 4. Restart Firefox after update completes.

🔧 Temporary Workarounds

Disable QR Code Scanning

ios

Temporarily disable Firefox's QR code scanning feature until patched.

Not applicable - disable via Firefox settings

Use Alternative QR Scanner

ios

Use iOS Camera or dedicated QR scanner apps instead of Firefox's built-in scanner.

🧯 If You Can't Patch

  • Educate users to avoid scanning QR codes from untrusted sources
  • Implement mobile device management (MDM) policies to restrict Firefox usage

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in iOS Settings > Firefox > Version. If version is below 141, system is vulnerable.

Check Version:

Not applicable - check via iOS Settings app

Verify Fix Applied:

Confirm Firefox version is 141 or higher in iOS Settings > Firefox > Version.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected URL openings in Firefox logs
  • QR code scan events followed by unusual domain access

Network Indicators:

  • Outbound connections to suspicious domains after QR code scans
  • Unusual traffic patterns from Firefox mobile clients

SIEM Query:

source="firefox_ios" AND (event="qr_scan" OR url_contains="open-text")

📊 Metadata

CVE ID: CVE-2025-54145
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-601
EPSS Score: 0.04% exploit probability (12.8th percentile)
Published: August 19, 2025
Last Updated: August 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54145, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2025-55031 9.8

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)