CVE-2025-1936
HIGHFirefox < 136 and Firefox ESR < 128.8 - Web Extension Code Concealment via Null Byte in jar: URL
Title source: llmDescription
jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
References (6)
Core 6
Core References
Permissions Required
https://bugzilla.mozilla.org/show_bug.cgi?id=1940027
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-14/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-16/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-17/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-18/
Scores
CVSS v3
7.3
EPSS
0.0018
EPSS Percentile
39.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-158
Status
published
Products (7)
mozilla/firefox
< 128.8.0
mozilla/firefox
< 136.0
Mozilla/Firefox
128.8 - 128.*
Mozilla/Firefox
136
mozilla/thunderbird
< 128.8.0
Mozilla/Thunderbird
128.8 - 128.*
Mozilla/Thunderbird
136
Published
Mar 04, 2025
Tracked Since
Feb 18, 2026