CVE-2025-1930 – A use-after-free vulnerability in Firefox and T... (How to Fix)

Q: How do I fix CVE-2025-1930?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

Q: What is the severity of CVE-2025-1930?

CVE-2025-1930 has a CVSS score of 8.8 (HIGH). A use-after-free vulnerability in Firefox and Thunderbird on Windows allows a compromised content process to send malicious AudioIPC StreamData to the browser process, potentially leading to memory corruption and sandbox escape. This affects Firefox versions below 136, Firefox ESR below 115.21 and 128.8, and Thunderbird below 136 and 128.8. Attackers could exploit this to execute arbitrary code with browser process privileges.

📋 TL;DR

A use-after-free vulnerability in Firefox and Thunderbird on Windows allows a compromised content process to send malicious AudioIPC StreamData to the browser process, potentially leading to memory corruption and sandbox escape. This affects Firefox versions below 136, Firefox ESR below 115.21 and 128.8, and Thunderbird below 136 and 128.8. Attackers could exploit this to execute arbitrary code with browser process privileges.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Firefox ESR
Mozilla Thunderbird

Versions: Firefox < 136, Firefox ESR < 115.21, Firefox ESR < 128.8, Thunderbird < 136, Thunderbird < 128.8

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows operating systems. Linux and macOS versions are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full sandbox escape leading to arbitrary code execution with browser process privileges, potentially compromising the entire Windows system.

🟠

Likely Case

Browser process compromise allowing data theft, session hijacking, and installation of malware or backdoors.

🟢

If Mitigated

Limited impact if sandboxing is properly configured and other security controls prevent initial content process compromise.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and process untrusted content regularly.

🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal websites or documents.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires initial content process compromise, but then allows unauthenticated exploitation via AudioIPC. No public exploit code has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, Thunderbird 128.8

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-14/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable AudioIPC (Not Recommended)

windows

Disabling AudioIPC may break audio functionality but could mitigate the vulnerability

Not available - would require code modification

🧯 If You Can't Patch

Restrict browser usage to trusted websites only
Implement application whitelisting to prevent execution of compromised browser processes

🔍 How to Verify

Check if Vulnerable:

Check browser version in Help → About Firefox/Thunderbird and compare with affected versions.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Verify version is equal to or greater than Firefox 136, Firefox ESR 115.21/128.8, Thunderbird 136/128.8.

📡 Detection & Monitoring

Log Indicators:

Unusual AudioIPC errors
Browser process crashes with memory access violations
Sandbox violation alerts

Network Indicators:

Unusual AudioIPC traffic patterns
Suspicious web content triggering audio processing

SIEM Query:

EventID=1000 OR EventID=1001 SourceName=Firefox OR SourceName=Thunderbird AND (ExceptionCode=0xc0000005 OR ExceptionCode=0xc0000374)

📊 Metadata

CVE ID: CVE-2025-1930

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.38% exploit probability (58.9th percentile)

Published: March 4, 2025

Last Updated: April 4, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1902309 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2025-14/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-15/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-16/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-17/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-18/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1930, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Firefox by Mozilla

Firefox by Mozilla

Firefox by Mozilla

Thunderbird by Mozilla

Thunderbird by Mozilla

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable AudioIPC (Not Recommended)

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities