CVE-2025-1936

jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1940027	Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-14/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-16/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-17/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-18/	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

History

03 Nov 2025, 21:18

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html -

Information

Published : 2025-03-04 14:15

Updated : 2025-11-03 21:18

NVD link : CVE-2025-1936

Mitre link : CVE-2025-1936

CVE.ORG link : CVE-2025-1936

JSON object : View

Products Affected

mozilla

thunderbird
firefox

CWE

CWE-158

Improper Neutralization of Null Byte or NUL Character

{"id": "CVE-2025-1936", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2025-03-04T14:15:38.500", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1940027", "tags": ["Permissions Required"], "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-16/", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-17/", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-18/", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-158"}]}], "descriptions": [{"lang": "en", "value": "jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8."}, {"lang": "es", "value": "jar: las URL recuperan el contenido de un archivo local empaquetado en un archivo ZIP. El valor null y todo lo que le sigue se ignoran al recuperar el contenido del archivo, pero la extensi\u00f3n falsa que sigue al valor null se utiliza para determinar el tipo de contenido. Esto podr\u00eda haberse utilizado para ocultar c\u00f3digo en una extensi\u00f3n web camuflada en otra cosa, como una imagen. Esta vulnerabilidad afecta a Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136 y Thunderbird < 128.8."}], "lastModified": "2025-11-03T21:18:54.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "vulnerable": true, "matchCriteriaId": "51A0498A-4BF8-4166-A347-78023C0A6B33", "versionEndExcluding": "128.8.0"}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "0FD416E8-4DD8-434A-AD75-86F38562E720", "versionEndExcluding": "136.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3C5A2B6-C7B5-4888-B0A7-9DA0C3024C71", "versionEndExcluding": "128.8.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93C81C9D-FC2E-4D7D-A97F-8DB97ED92192", "versionEndExcluding": "136.0", "versionStartIncluding": "129.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}