CVE-2025-1936 – This vulnerability in Firefox and Thunderbird a... (How to Fix)

Q: How do I fix CVE-2025-1936?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

Q: What is the severity of CVE-2025-1936?

CVE-2025-1936 has a CVSS score of 7.3 (HIGH). This vulnerability in Firefox and Thunderbird allows attackers to hide malicious code in web extensions by disguising it as other file types like images. It exploits how jar: URLs handle null bytes in ZIP archive content retrieval, enabling code execution through disguised extensions. Affected users include anyone running vulnerable versions of Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR.

📋 TL;DR

This vulnerability in Firefox and Thunderbird allows attackers to hide malicious code in web extensions by disguising it as other file types like images. It exploits how jar: URLs handle null bytes in ZIP archive content retrieval, enabling code execution through disguised extensions. Affected users include anyone running vulnerable versions of Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird
Thunderbird ESR

Versions: Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, Thunderbird ESR < 128.8

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability affects how jar: URLs process ZIP archives regardless of system settings.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through malicious web extensions that appear as benign files, potentially leading to full system compromise.

🟠

Likely Case

Attackers trick users into installing malicious web extensions that bypass security checks, leading to data theft or further exploitation.

🟢

If Mitigated

Limited impact with proper extension vetting and user awareness, though risk remains for unpatched systems.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and extensions can be delivered via websites.

🏢 Internal Only: MEDIUM - Risk exists if users install extensions from internal sources, but attack surface is reduced compared to internet exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to install a malicious web extension. The vulnerability is publicly disclosed but no known public exploits exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 136+, Firefox ESR 128.8+, Thunderbird 136+, Thunderbird ESR 128.8+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-14/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable jar: protocol

all

Prevents jar: URL processing in browser, which may break some legitimate functionality but eliminates this attack vector.

about:config → set network.jar.open-unsafe-types to false

Restrict extension installation

all

Only allow extensions from trusted sources like official add-on stores.

about:preferences → Privacy & Security → Allow extensions from → Select 'Only from Mozilla'

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized browser extensions.
Use network filtering to block downloads of .jar or .zip files from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check browser version: Firefox/Thunderbird → Help → About. If version is below patched versions, system is vulnerable.

Check Version:

firefox --version or thunderbird --version on Linux/macOS; check About dialog on Windows.

Verify Fix Applied:

Confirm version is Firefox 136+, Firefox ESR 128.8+, Thunderbird 136+, or Thunderbird ESR 128.8+.

📡 Detection & Monitoring

Log Indicators:

Unusual extension installation events
Jar file processing errors in browser logs

Network Indicators:

Downloads of .jar or .zip files with unusual extensions
Requests to jar: URLs with null bytes

SIEM Query:

source="browser_logs" AND (event="extension_install" AND extension_name NOT IN allowed_list) OR (url="jar:*\0*")

📊 Metadata

CVE ID: CVE-2025-1936

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-158

EPSS Score: 0.73% exploit probability (72.2th percentile)

Published: March 4, 2025

Last Updated: November 3, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1940027 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-14/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-16/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-17/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-18/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1936, you might also want to check these: