Bug 2361430 (CVE-2025-3839)

Summary: CVE-2025-3839 epiphany: Insecure External Protocol Invocation in Epiphany
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2361431    
Bug Blocks:    

Description OSIDB Bzimport 2025-04-21 09:33:39 UTC 
Epiphany prior to versions 48.1 and 47.5 allows websites to trigger external URL handlers with insufficient user interaction or warning. If the handler application is vulnerable, this opens the door to potential code execution under the user's context. This behavior misleads users and shifts the attack surface to local applications.