CVE-2025-8364 is a medium-severity vulnerability affecting Mozilla Firefox on Android devices prior to version 141. The issue involves address bar spoofing through the use of a crafted blob: URI. Blob URIs are used in web browsers to represent binary data objects as URLs. In this vulnerability, an attacker can create a specially crafted blob URI that causes the browser to display a misleading origin in the address bar, effectively hiding the true source of the webpage. This can lead to a spoofing attack where users are deceived into believing they are visiting a legitimate or trusted site when in fact they are interacting with a malicious page. The vulnerability does not affect Firefox on other operating systems, limiting its scope to Android devices. The CVSS v3.1 base score is 4.3, indicating a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and no availability impact. The underlying weakness is classified under CWE-451, which relates to improper handling of URL origins or address bar spoofing. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. This vulnerability could be exploited by tricking users into clicking a malicious link, leading to potential phishing or social engineering attacks due to the misleading address bar display.

For European organizations, the primary risk posed by this vulnerability is the potential for phishing and social engineering attacks targeting employees and customers using Firefox on Android devices. Since the spoofing affects only the address bar display, users may be deceived into entering sensitive information such as credentials, financial data, or other personal information on malicious sites masquerading as legitimate ones. This can lead to credential theft, unauthorized access, and potential data breaches. The impact on confidentiality and integrity is low to medium, as the vulnerability does not allow direct code execution or data exfiltration but facilitates deception. Availability is not impacted. Organizations with a significant mobile workforce or customer base using Firefox on Android are at higher risk. Additionally, sectors with high-value targets such as financial services, government, healthcare, and critical infrastructure in Europe could see targeted phishing campaigns exploiting this vulnerability. The lack of a patch at the time of reporting increases the window of exposure. However, the requirement for user interaction (clicking a malicious link) somewhat limits the ease of exploitation.

European organizations should take proactive steps to mitigate the risk from this vulnerability. First, they should monitor Mozilla’s security advisories closely and prioritize updating Firefox on Android devices to version 141 or later once available. Until patches are released, organizations can implement mobile device management (MDM) policies to restrict or monitor the use of Firefox on Android or enforce the use of alternative browsers not affected by this issue. Security awareness training should emphasize caution when clicking on links received via email, SMS, or messaging apps, particularly on mobile devices. Phishing simulations can help reinforce this behavior. Organizations should also consider deploying mobile endpoint protection solutions capable of detecting suspicious URLs or blocking access to known malicious domains. For customer-facing services, implementing multi-factor authentication (MFA) can reduce the impact of credential theft resulting from spoofing attacks. Finally, web developers should ensure their sites use HTTPS with HSTS to prevent downgrade attacks and improve user trust indicators.