CVE-2025-1932
Published: 04 March 2025
Description
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Security Summary
CVE-2025-1932 is a vulnerability stemming from an inconsistent comparator in the xslt/txNodeSorter component, which could lead to potentially exploitable out-of-bounds access classified under CWE-125 (Out-of-bounds Read). It affects Mozilla Firefox versions 122 and later, Firefox ESR, and Thunderbird, with the issue fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H), indicating high severity due to its potential for significant confidentiality and availability impacts.
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required, but it necessitates user interaction, such as loading malicious XSLT content in a browser or email client. Successful exploitation could result in high-impact confidentiality breaches by reading sensitive process memory and high-impact availability disruptions like application crashes or denial of service, without affecting integrity.
Mozilla's security advisories (MFSA 2025-14, 2025-16, 2025-17, and 2025-18) and the associated Bugzilla entry recommend updating to the patched versions—Firefox 136, Firefox ESR 128.8, Thunderbird 136, or Thunderbird 128.8—as the primary mitigation. No workarounds are specified in the provided details.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes remote exploitation via user interaction to load malicious XSLT content in a browser or email client, directly enabling drive-by compromise through malicious websites and user execution or spearphishing via malicious links.