CVE-2025-0246: 
NixOS vulnerability analysis and mitigation

CVE-2025-0246 is a moderate severity vulnerability discovered in Firefox for Android that was disclosed on January 7, 2025. The vulnerability allows an attacker to spoof the address bar when using an invalid protocol scheme. This issue specifically affects Firefox versions below 134 and is limited to Android operating systems, with other operating systems being unaffected. It is important to note that this is a distinct issue from CVE-2025-0244 (Mozilla Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) by CISA-ADP with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. Red Hat has assigned a slightly lower CVSS score of 5.4 with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-451: User Interface (UI) Misrepresentation of Critical Information (Red Hat).

When exploited, this vulnerability allows attackers to spoof the address bar in Firefox for Android, potentially misleading users about the website they are visiting. The vulnerability has low impact on both confidentiality and integrity, with no impact on availability (Red Hat).

Mozilla has addressed this vulnerability in Firefox version 134. Users of affected versions are advised to update to Firefox 134 or later to mitigate this security risk (Mozilla Advisory).