CVE-2025-1930
Published: 04 March 2025
Description
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Security Summary
CVE-2025-1930 is a use-after-free vulnerability (CWE-416) affecting the Browser process in Firefox and Thunderbird on Windows. It occurs when a compromised content process sends malformed StreamData over AudioIPC, triggering the use-after-free condition. The vulnerability impacts Firefox versions prior to 136, Firefox ESR prior to 115.21 and 128.8, Thunderbird prior to 136, and Thunderbird prior to 128.8. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker who first compromises a content process—such as through a separate renderer exploit—can send crafted AudioIPC StreamData to the Browser process, leading to a use-after-free. This enables a sandbox escape, allowing the attacker to execute code outside the content process sandbox with the privileges of the Browser process. Exploitation requires user interaction and is feasible over the network with low complexity and no privileges.
Mozilla addressed the issue in the specified fixed releases, as detailed in security advisories MFSA 2025-14 through MFSA 2025-17 and Bugzilla entry 1902309. Security practitioners should prioritize updating affected Firefox and Thunderbird installations on Windows to the patched versions to mitigate the risk of sandbox escape following content process compromise.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free in browser process enables sandbox escape from compromised content process, directly facilitating client-side code execution (T1203), privilege escalation to browser process (T1068), and evasion of sandbox defenses (T1211).