Login Sign Up

CVE-2025-55031

9.8 CRITICAL

📋 TL;DR

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey transport via FIDO links. An attacker within Bluetooth range could trick users into using their passkeys to log the attacker's computer into the target account. This affects Firefox for iOS and Focus for iOS users on versions below 142.

💻 Affected Systems

Products:
  • Firefox for iOS
  • Focus for iOS
Versions: Versions < 142
Operating Systems: iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires iOS devices with Bluetooth enabled and users who interact with malicious web pages.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Focus by Mozilla

View all CVEs affecting Firefox Focus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker within Bluetooth range could gain unauthorized access to user accounts by tricking victims into authenticating the attacker's device with their passkeys, potentially compromising sensitive accounts.

🟠

Likely Case

Targeted attacks in public spaces where attackers could exploit Bluetooth proximity to trick users into authenticating malicious devices, leading to account compromise.

🟢

If Mitigated

With updated browsers and user awareness, the risk is significantly reduced as the attack requires specific conditions and user interaction.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires attacker to be within Bluetooth range and user to interact with malicious web content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 142

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-68/

Restart Required: Yes

Instructions:

1. Open the App Store on iOS. 2. Tap your profile icon. 3. Scroll to find Firefox or Focus. 4. Tap 'Update' next to the app. 5. Restart the browser after update completes.

🔧 Temporary Workarounds

Disable Bluetooth when not in use

ios

Turn off Bluetooth to prevent attackers from being within range for exploitation.

Open Control Center > Tap Bluetooth icon to disable

Avoid untrusted websites

all

Do not visit or interact with suspicious or untrusted websites while using Firefox/Focus on iOS.

🧯 If You Can't Patch

  • Disable Bluetooth when browsing on Firefox/Focus for iOS
  • Use alternative browsers until patched

🔍 How to Verify

Check if Vulnerable:

Open Firefox/Focus for iOS > Settings > Scroll to bottom to check version number.

Check Version:

Not applicable for iOS apps; check in app settings.

Verify Fix Applied:

Confirm version is 142 or higher in app settings after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual FIDO authentication attempts via Bluetooth
  • Multiple failed passkey authentications from unknown devices

Network Indicators:

  • Bluetooth pairing requests from unknown devices during web browsing

SIEM Query:

Not typically applicable for mobile browser vulnerabilities on personal devices.

📊 Metadata

CVE ID: CVE-2025-55031
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-601
EPSS Score: 0.08% exploit probability (23.6th percentile)
Published: August 19, 2025
Last Updated: August 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55031, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)
CVE-2025-54145 9.1

This vulnerability in Firefox for iOS allows malicious websites to be opened automatically when user...

Same vulnerability type (CWE-601)