CVE-2025-1931

CVE-2025-1931 is a use-after-free vulnerability (CWE-416) occurring in the content process side of a WebTransport connection within Mozilla Firefox and Thunderbird products. This flaw enables a potentially exploitable crash and affects versions of Firefox prior to 136, Firefox ESR prior to 115.21 and 128.8, and Thunderbird prior to 136 and 128.8. The issue was publicly disclosed on March 4, 2025.

With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation leads to a denial-of-service condition through a crash in the browser's content process, which may serve as a foundation for further compromise given its potentially exploitable nature.

Mozilla resolved the vulnerability in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Security practitioners should review Mozilla Security Advisories MFSA 2025-14, MFSA 2025-15, MFSA 2025-16, and MFSA 2025-17, along with Bugzilla entry 1944126, for patch deployment guidance and additional technical details.