CVE-2025-55031 is a critical security vulnerability affecting Mozilla Firefox for iOS versions prior to 142, including Firefox Focus for iOS. The vulnerability arises from the way Firefox for iOS handles FIDO passkey authentication links, specifically leveraging the hybrid passkey transport mechanism that involves communication between the browser and the operating system. An attacker within Bluetooth range can exploit this flaw by hosting a malicious webpage that triggers the browser to initiate a passkey authentication process. Because the hybrid transport can use Bluetooth, the attacker can trick the user into unknowingly authenticating their passkey, effectively allowing the attacker to log into the victim's account on the attacker's device. This attack vector requires proximity due to Bluetooth range limitations but does not require any user interaction or prior authentication, making it highly dangerous. The vulnerability is classified under CWE-601 (Open Redirect), indicating that the malicious page abuses redirection mechanisms to initiate the attack. The CVSS 3.1 base score is 9.8, reflecting critical severity with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the potential for abuse is significant given the widespread use of Firefox on iOS devices and the increasing adoption of passkey authentication as a phishing-resistant login method. The vulnerability highlights a novel phishing technique exploiting Bluetooth-based hybrid passkey transport, undermining the security guarantees of passkey authentication by leveraging proximity-based attacks.

For European organizations, this vulnerability poses a severe risk, especially for entities relying on Firefox for iOS for secure authentication using passkeys. The attack can lead to unauthorized account access without user interaction, potentially exposing sensitive corporate data, intellectual property, and personal information. Given the criticality of the flaw, threat actors could use this to bypass strong authentication controls, facilitating account takeover, data breaches, and lateral movement within networks. Sectors such as finance, government, healthcare, and critical infrastructure in Europe are particularly at risk due to their reliance on secure authentication and the high value of their data. The proximity requirement means attacks are more feasible in public or semi-public spaces such as conferences, airports, or corporate campuses, where attackers can be physically close to targets. The vulnerability undermines trust in passkey authentication, which is being promoted as a phishing-resistant alternative to passwords, potentially slowing adoption of stronger authentication methods in Europe. Additionally, the lack of user interaction requirement increases the stealthiness of the attack, making detection and prevention more challenging.

European organizations should urgently update Firefox for iOS and Firefox Focus for iOS to version 142 or later once patches are released by Mozilla. Until patches are available, organizations should consider the following mitigations: 1) Educate users about the risks of using Firefox for iOS in untrusted environments and advise caution when browsing unknown websites, especially in public spaces. 2) Limit Bluetooth usage on iOS devices during sensitive operations or disable Bluetooth when not needed to reduce attack surface. 3) Implement network segmentation and endpoint detection to monitor for unusual authentication events or account logins from unexpected devices. 4) Encourage multi-factor authentication methods that do not rely solely on passkeys or hybrid transport mechanisms vulnerable to proximity attacks. 5) Collaborate with mobile device management (MDM) solutions to enforce browser version controls and restrict installation of vulnerable app versions. 6) Monitor security advisories from Mozilla and apply patches promptly to minimize exposure. 7) Consider alternative browsers or authentication methods on iOS devices until the vulnerability is fully mitigated.