CVE-2025-1940: Android Intent confirmation prompt tapjacking using Select options

Q: What is the severity of CVE-2025-1940?

CVE-2025-1940 has been classified as a moderate severity vulnerability.

Q: How do I fix CVE-2025-1940?

To fix CVE-2025-1940, you need to update Firefox to version 136 or later.

Q: Who is affected by CVE-2025-1940?

CVE-2025-1940 specifically affects users of Firefox on Android running versions prior to 136.

Q: What type of vulnerability is CVE-2025-1940?

CVE-2025-1940 is an issue that could lead to user deception regarding the launching of external applications.

Q: When was CVE-2025-1940 disclosed?

CVE-2025-1940 was disclosed in early 2025.

Published Mar 4, 2025

Updated

A select option could partially obscure the confirmation prompt shown before launching external apps. This could be used to trick a user in to launching an external app unexpectedly. This issue only affects Android versions of Firefox.. This vulnerability was fixed in Firefox 136.

Other sources

— Mozilla

Affected Software

3 affected componentsFixes available

Mozilla Firefox<136

136

Mozilla Firefox<136.0

Event History

Mar 4, 2025

CVE Published

via Mozilla·12:00 AM

CVE Published

via MITRE·01:31 PM

Data Sourced

via MITRE·01:31 PM

Description

Data Sourced

via NVD·02:15 PM

DescriptionSeverityWeaknessAffected Software

Parent advisories

This vulnerability appears in the following advisories.

MFSA2025-14

Peer vulnerabilities

Found alongside the following vulnerabilities.

Frequently Asked Questions

What is the severity of CVE-2025-1940?

CVE-2025-1940 has been classified as a moderate severity vulnerability.

How do I fix CVE-2025-1940?

To fix CVE-2025-1940, you need to update Firefox to version 136 or later.

Who is affected by CVE-2025-1940?