Analysis Summary

CVE-2025-5020 CVSS:4.3

Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client This vulnerability affects Firefox for iOS.

CVE-2025-4918 CVSS:7.5

Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read or write on a JavaScript `Promise` object. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

Impact

• Denial of Service
• Code Execution

Indicators of Compromise

CVE

• CVE-2025-5020

• CVE-2025-4918

Affected Vendors

Affected Products

• Mozilla Firefox ESR - 128.10.0
• Mozilla Firefox - 138.0.3
• Mozilla Firefox ESR - 115.23.0
• Mozilla Firefox for iOS - 138

Remediation

Refer to Mozilla Security Advisory for patch, upgrade, or suggested workaround information.

CVE-2025-5020

CVE-2025-4918