CVE-2025-3029: 
NixOS vulnerability analysis and mitigation

A URL bar spoofing vulnerability (CVE-2025-3029) was discovered that affects multiple Mozilla products. The vulnerability was disclosed on April 1, 2025, and involves a crafted URL containing specific Unicode characters that could hide the true origin of a webpage. The affected products include Firefox versions before 137, Firefox ESR versions before 128.9, Thunderbird versions before 137, and Thunderbird ESR versions before 128.9 (Mozilla Advisory).

The vulnerability is classified as a URL bar spoofing issue that specifically involves non-BMP (Basic Multilingual Plane) Unicode characters. It has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is categorized under CWE-290 (Authentication Bypass by Spoofing) (NVD).

The vulnerability has been rated as having a moderate impact. When exploited, an attacker could potentially hide the true origin of a webpage, leading to spoofing attacks that could deceive users about the authenticity of the website they are visiting (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird ESR 128.9. Users are advised to update their installations to these versions or newer to mitigate the risk (Mozilla Advisory).