Sandboxed Iframe Vulnerability in Firefox and Thunderbird by Mozilla
CVE-2025-11716

Currently unrated

Key Information:

Vendor

Mozilla
Status
Firefox
Thunderbird
Vendor
CVE Published:
14 October 2025

What is CVE-2025-11716?

A vulnerability exists in Firefox and Thunderbird that allows links within a sandboxed iframe to launch external applications on Android devices without requiring the necessary 'allow-' permission. This can potentially lead to unauthorized actions and data exposure, raising significant security concerns for users running affected versions of the software.

Affected Version(s)

Firefox < 144

Thunderbird < 144

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1818679
https://www.mozilla.org/security/advisories/mfsa2025-81/
https://www.mozilla.org/security/advisories/mfsa2025-84/

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Axel Chong (@Haxatron)
JSON
.
CVE-2025-11716 : Sandboxed Iframe Vulnerability in Firefox and Thunderbird by Mozilla