CVE-2025-1937
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-1937 involves multiple memory safety bugs classified under CWE-1260, present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs demonstrated evidence of memory corruption, which Mozilla presumes could be exploited to achieve arbitrary code execution with sufficient effort. The vulnerability carries a CVSS v3.1 base score of 7.5.
Remote attackers can exploit CVE-2025-1937 over the network without privileges, though it requires high attack complexity and user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution in the context of the affected browser or mail client.
Mozilla advisories MFSA2025-14, MFSA2025-15, MFSA2025-16, and MFSA2025-17 detail the fixes, which are available in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Additional technical details are provided in Bugzilla entries for bugs 1938471 and 1940716. Security practitioners should prioritize updating affected instances to mitigate this issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Memory corruption bugs enabling arbitrary code execution in client applications (browser/mail client) directly map to Exploitation for Client Execution.