CVE-2025-1933
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-1933 is a type confusion vulnerability in the WebAssembly (WASM) Just-In-Time (JIT) compiler on 64-bit CPUs. When compiling i32 return values, the JIT can inadvertently incorporate bits from leftover memory, potentially causing the values to be treated as a different type. This affects Mozilla Firefox versions prior to 136, Firefox ESR prior to 115.21 and 128.8, Thunderbird prior to 136 and 128.8.
Remote attackers can exploit this vulnerability over the network with low complexity and no privileges required, but it necessitates user interaction, such as visiting a malicious site hosting crafted WASM code. Successful exploitation yields low confidentiality and integrity impacts alongside high availability impact, as scored at CVSS 7.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H), potentially enabling denial-of-service or limited data tampering.
Mozilla's security advisories (MFSA 2025-14 through 17) and the associated Bugzilla entry detail the fix, recommending immediate upgrades to Firefox 136, Firefox ESR 115.21 or 128.8, Thunderbird 136, or Thunderbird 128.8 to mitigate the issue. No additional workarounds are specified in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Browser-based type confusion in WASM JIT enables remote exploitation via user visiting malicious site (drive-by compromise) to achieve client execution, potentially leading to DoS or tampering.