CVE-2025-8042: 
Mozilla Firefox vulnerability analysis and mitigation

CVE-2025-8042 is a security vulnerability discovered in Firefox for Android that was disclosed on July 22, 2025. The vulnerability allows a sandboxed iframe without the allow-downloads attribute to start downloads, which violates the intended security restrictions. This issue specifically affects Firefox versions prior to 141 on the Android platform (Mozilla Advisory).

The vulnerability has been classified with a moderate severity impact according to Mozilla's security assessment. The issue stems from a security control bypass where sandboxed iframes could initiate downloads despite lacking the explicit allow-downloads attribute, which should prevent such actions. The vulnerability was identified and reported by security researcher Axel Chong (@Haxatron) (Mozilla Advisory).

The vulnerability affects the security boundary of sandboxed iframes in Firefox for Android, potentially allowing malicious websites to initiate unauthorized downloads through sandboxed frames. This could lead to unexpected and potentially harmful file downloads on users' devices (Debian Tracker).

The vulnerability has been fixed in Firefox version 141. Users are advised to update their Firefox for Android installations to version 141 or later to mitigate this security issue. The fix prevents sandboxed iframes from initiating downloads unless explicitly permitted through the allow-downloads attribute (Mozilla Advisory).