CVE-2025-1939: Tapjacking in Android Custom Tabs using transition animations

Q: What is the severity of CVE-2025-1939?

CVE-2025-1939 has been classified as a high severity vulnerability.

Q: How do I fix CVE-2025-1939?

To fix CVE-2025-1939, update your Mozilla Firefox browser to version 136 or later.

Q: What impact does CVE-2025-1939 have on users?

CVE-2025-1939 can potentially trick users into granting sensitive permissions through deceptive transition animations in Custom Tabs.

Q: Which versions of Firefox are affected by CVE-2025-1939?

CVE-2025-1939 affects Mozilla Firefox versions prior to 136.

Q: Is there a workaround for CVE-2025-1939 until a fix is applied?

Currently, there are no known effective workarounds for CVE-2025-1939 besides updating to the latest version.

Published Mar 4, 2025

Updated

Android apps can load web pages using the Custom Tabs feature. This feature supports a transition animation that could have been used to trick a user into granting sensitive permissions by hiding what the user was actually clicking.

Affected Software

3 affected componentsFixes available

Mozilla Firefox<136

136

Mozilla Firefox<136.0

Event History

Mar 4, 2025

CVE Published

via Mozilla·12:00 AM

CVE Published

via MITRE·01:31 PM

Data Sourced

via MITRE·01:31 PM

Description

Data Sourced

via NVD·02:15 PM

DescriptionSeverityWeaknessAffected Software

Parent advisories

This vulnerability appears in the following advisories.

MFSA2025-14

Peer vulnerabilities

Found alongside the following vulnerabilities.

Frequently Asked Questions

What is the severity of CVE-2025-1939?

CVE-2025-1939 has been classified as a high severity vulnerability.

How do I fix CVE-2025-1939?

To fix CVE-2025-1939, update your Mozilla Firefox browser to version 136 or later.

What impact does CVE-2025-1939 have on users?