CVE-2025-1939: 
NixOS vulnerability analysis and mitigation

CVE-2025-1939 is a security vulnerability discovered in Firefox's Android Custom Tabs feature, disclosed on March 4, 2025. The vulnerability affects Firefox versions below 136 and involves a tapjacking attack vector using transition animations. The issue was reported by security researcher Philipp Beer and was assigned a high impact rating by Mozilla (Mozilla Advisory).

The vulnerability exists in the Custom Tabs feature of Firefox for Android, which allows Android apps to load web pages. The security flaw specifically relates to the transition animation functionality that could be exploited to deceive users. The vulnerability received a CVSS 3.1 Base Score of 3.9 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. It has been classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) (NVD).

The vulnerability could be exploited to trick users into granting sensitive permissions by concealing the actual content they were clicking on through manipulation of the transition animation in Custom Tabs. This could lead to unauthorized access to sensitive user permissions and potential privacy breaches (Mozilla Advisory).

The vulnerability has been fixed in Firefox version 136. Users are advised to update their Firefox installations to this version or later to protect against this security issue. The fix was released as part of Mozilla's March 2025 security updates (Mozilla Advisory).