{"api_version":"1","generated_at":"2026-04-23T02:25:03+00:00","cve":"CVE-2025-14744","urls":{"html":"https://cve.report/CVE-2025-14744","api":"https://cve.report/api/cve/CVE-2025-14744.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-14744","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-14744"},"summary":{"title":"Filename spoofing via Unicode Right-to-Left Override in Firefox for iOS","description":"Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0.","state":"PUBLISHED","assigner":"mozilla","published_at":"2025-12-18 15:15:52","updated_at":"2026-04-13 15:16:47"},"problem_types":["CWE-451","CWE-451 CWE-451 User Interface (UI) Misrepresentation of Critical Information"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}}],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1984683","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1984683","refsource":"security@mozilla.org","tags":["Permissions Required"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-97/","name":"https://www.mozilla.org/security/advisories/mfsa2025-97/","refsource":"security@mozilla.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-14744","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-14744","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mozilla","product":"Firefox for iOS","version":"unaffected 144.0 * rpm","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Azril","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"14744","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2025","cve_id":"14744","cve":"CVE-2025-14744","epss":"0.000360000","percentile":"0.104240000","score_date":"2026-04-15","updated_at":"2026-04-16 00:13:56"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","version":"3.1"}},{"other":{"content":{"id":"CVE-2025-14744","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-12-18T19:12:45.595694Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-451","description":"CWE-451 User Interface (UI) Misrepresentation of Critical Information","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-12-18T19:19:42.637Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"Firefox for iOS","vendor":"Mozilla","versions":[{"lessThanOrEqual":"*","status":"unaffected","version":"144.0","versionType":"rpm"}]}],"credits":[{"lang":"en","value":"Azril"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0."}],"value":"Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0."}],"providerMetadata":{"dateUpdated":"2026-04-13T14:31:42.899Z","orgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","shortName":"mozilla"},"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1984683"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-97/"}],"title":"Filename spoofing via Unicode Right-to-Left Override in Firefox for iOS"}},"cveMetadata":{"assignerOrgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","assignerShortName":"mozilla","cveId":"CVE-2025-14744","datePublished":"2025-12-18T14:21:12.328Z","dateReserved":"2025-12-15T19:44:44.939Z","dateUpdated":"2026-04-13T14:31:42.899Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-12-18 15:15:52","lastModifiedDate":"2026-04-13 15:16:47","problem_types":["CWE-451","CWE-451 CWE-451 User Interface (UI) Misrepresentation of Critical Information"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:iphone_os:*:*","versionEndExcluding":"144.0","matchCriteriaId":"0ED73B6B-B41E-4DB1-8FEC-6550365BC33D"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"14744","Ordinal":"1","Title":"Filename spoofing via Unicode Right-to-Left Override in Firefox ","CVE":"CVE-2025-14744","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"14744","Ordinal":"1","NoteData":"Unicode RTLO characters could allow malicious websites to spoof filenames in the downloads UI for Firefox for iOS, potentially tricking users into saving files of an unexpected file type. This vulnerability was fixed in Firefox for iOS 144.0.","Type":"Description","Title":"Filename spoofing via Unicode Right-to-Left Override in Firefox "}]}}}