Mozilla Foundation Security Advisory 2025-69

Security Vulnerabilities fixed in Focus for iOS 142

Announced

August 19, 2025

Impact

high

Products

Focus for iOS

Fixed in

Focus for iOS 142

#CVE-2025-55032: Focus incorrectly ignores Content-Disposition headers for some MIME types

Reporter: Renwa
Impact: high

Description

Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks

References

Bug 1976296

#CVE-2025-55033: Drag and drop gestures in Focus for iOS could allow JavaScript links to be executed incorrectly

Reporter: Muneaki Nishimura
Impact: moderate

Description

Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks

References

Bug 1913825

#CVE-2025-55031: Passkey phishing within Bluetooth range

Reporter: Hafiizh
Impact: moderate

Description

Malicious pages could use Focus for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account.

Mozilla VPN

Mozilla Monitor

Firefox Relay

Pocket

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog