CVE-2025-1942
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-1942 is a critical vulnerability (CVSS 9.8) in the String.toUpperCase() implementation within Mozilla's JavaScript engine, where converting a string to uppercase that results in a longer output could incorporate uninitialized memory into the resulting string (CWE-908). This affects Firefox and Thunderbird versions prior to 136.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), potentially allowing arbitrary memory read via crafted JavaScript input that triggers the faulty string expansion.
Mozilla addressed the issue in Firefox 136 and Thunderbird 136, as detailed in security advisories MFSA 2025-14 and MFSA 2025-17, along with the upstream bug report at Bugzilla #1947139. Security practitioners should prioritize updating affected browsers to mitigate remote code execution or information disclosure risks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote, unauthenticated exploit in the Firefox/Thunderbird JavaScript engine via crafted JS input, enabling drive-by compromise of client applications and direct execution of malicious code or memory disclosure on the victim system.