CVE-2025-3839

NameCVE-2025-3839
DescriptionA flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
epiphany-browser (PTS)bullseye (security), bullseye3.38.2-1+deb11u3vulnerable
bookworm43.1-1vulnerable
trixie48.5-0+deb13u1fixed
forky, sid49.2-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
epiphany-browsersource(unstable)48.1-1

Notes

[bookworm] - epiphany-browser <no-dsa> (Minor issue)
[bullseye] - epiphany-browser <postponed> (Minor issue)
https://gitlab.gnome.org/GNOME/epiphany/-/issues/2641
Fixed by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/324e25caee659bce43ff5c614d105f64899dfb7f (48.1)
Fixed by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/9f80e7e80b75212627790d74041d46eedb6e321e (47.5)
Search for package or bug name: Reporting problems