Login Sign Up

CVE-2025-3608

6.5 MEDIUM

📋 TL;DR

A race condition in Firefox's nsHttpTransaction component could allow memory corruption, potentially leading to arbitrary code execution. This affects Firefox versions before 137.0.2. Attackers could exploit this to compromise user systems through malicious web content.

💻 Affected Systems

Products:
  • Mozilla Firefox
Versions: All versions < 137.0.2
Operating Systems: Windows, macOS, Linux, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Firefox installations are vulnerable. Extensions or security settings do not mitigate this vulnerability.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment

🟠

Likely Case

Browser crash or denial of service, with potential for limited code execution in some scenarios

🟢

If Mitigated

Browser crash with no data loss if sandboxing and other security controls function properly

🌐 Internet-Facing: HIGH - Exploitable via malicious websites or ads without user interaction
🏢 Internal Only: MEDIUM - Requires user to visit malicious internal site or click malicious link

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Race conditions are timing-dependent and may be difficult to reliably exploit. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 137.0.2

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-25/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu → Help → About Firefox. 3. Firefox will automatically check for updates and install version 137.0.2. 4. Restart Firefox when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, which is required for most web-based attacks

about:config → javascript.enabled → false

Use Enhanced Tracking Protection Strict Mode

all

Blocks more trackers and potentially malicious scripts

Settings → Privacy & Security → Enhanced Tracking Protection → Strict

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Firefox version: about:support → Application Basics → Version

Check Version:

firefox --version (Linux/macOS) or check about:support (all platforms)

Verify Fix Applied:

Verify version is 137.0.2 or higher in about:support

📡 Detection & Monitoring

Log Indicators:

  • Firefox crash reports with nsHttpTransaction in stack trace
  • Unexpected browser termination events

Network Indicators:

  • Multiple rapid HTTP requests to same resource from single client
  • Unusual timing patterns in HTTP traffic

SIEM Query:

source="firefox.logs" AND ("nsHttpTransaction" OR "race condition" OR "memory corruption")

📊 Metadata

CVE ID: CVE-2025-3608
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-362
EPSS Score: 0.19% exploit probability (40.1th percentile)
Published: April 15, 2025
Last Updated: May 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3608, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)