CVE-2025-11716: 
NixOS vulnerability analysis and mitigation

CVE-2025-11716 is a security vulnerability discovered in Firefox and Thunderbird applications affecting versions prior to 144. The vulnerability was disclosed on October 14, 2025, and was reported by security researcher Axel Chong (@Haxatron). The issue specifically affects Android implementations of these applications where links in a sandboxed iframe could open external apps without the required 'allow-' permission (Mozilla Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, requires user interaction, has unchanged scope, no impact on confidentiality, high impact on integrity, and no impact on availability. The vulnerability is classified under CWE-284 (Improper Access Control) (NVD).

The vulnerability allows malicious websites to bypass sandbox security controls on Android devices, potentially enabling unauthorized access to external applications. This could lead to unauthorized actions being performed through external app launches without proper permission validation (Mozilla Advisory).

The vulnerability has been fixed in Firefox 144 and Thunderbird 144. Users are advised to update their applications to these versions or later to mitigate the risk. The fix prevents sandboxed iframes from opening external apps without the proper 'allow-' permission (Mozilla Advisory).