CVE-2025-1936

CVE-2025-1936 is a vulnerability in the handling of jar: URLs within Mozilla Firefox and Thunderbird. These URLs retrieve local file content packaged in a ZIP archive, but the parser ignored the null byte and everything after it when extracting the content, while using a fake extension placed after the null byte to determine the content type. This flaw, classified under CWE-158 (Null Byte Interaction Error), enabled attackers to hide malicious code within a web extension by disguising it as another file type, such as an image. Versions of Firefox prior to 136, Firefox ESR prior to 128.8, Thunderbird prior to 136, and Thunderbird prior to 128.8 are affected.

The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation allows limited impacts on confidentiality, integrity, and availability, primarily through the bypass of content type checks to deliver disguised malicious payloads, such as executable web extensions masquerading as benign files.

Mozilla has fixed this issue in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Security advisories MFSA 2025-14, MFSA 2025-16, MFSA 2025-17, and MFSA 2025-18, along with Bugzilla entry 1940027, provide further details on the patch and recommend immediate updates to mitigate the risk.