Vulnerability Description
jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 128.8.0 |
| Mozilla | Thunderbird | < 128.8.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1940027Permissions Required
- https://www.mozilla.org/security/advisories/mfsa2025-14/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-16/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-17/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-18/Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html
FAQ
What is CVE-2025-1936?
CVE-2025-1936 is a vulnerability with a CVSS score of 7.3 (HIGH). jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was us...
How severe is CVE-2025-1936?
CVE-2025-1936 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-1936?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Mozilla Thunderbird.