Mozilla Foundation Security Advisory 2025-68

Security Vulnerabilities fixed in Firefox for iOS 142

Announced

August 19, 2025

Impact

high

Products

Firefox for iOS

Fixed in

Firefox for iOS 142

#CVE-2025-55030: Content-Disposition headers incorrectly ignored for some MIME types

Reporter: Renwa
Impact: high

Description

Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks

References

Bug 1976304

#CVE-2025-55028: JavaScript alerts could impede UI interaction or allow denial of service attacks

Reporter: Antoine Morin
Impact: moderate

Description

Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in some scenarios and allow for denial of service attacks

References

Bug 1850240

#CVE-2025-55031: Passkey phishing within Bluetooth range

Reporter: Hafiizh
Impact: moderate

Description

Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account.

References

#CVE-2025-55029: Malicious scripts could spam popups for denial of service attacks

Reporter: Bharat
Impact: low

Description

Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks

References

Bug 1973577

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog