CVE-2025-1936
Published: 04 March 2025
Summary
CVE-2025-1936 is a high-severity Improper Neutralization of Null Byte or NUL Character (CWE-158) vulnerability in Mozilla Firefox. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Masquerade File Type (T1036.008); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the specific null byte parsing flaw in Firefox and Thunderbird jar: URL handling, directly preventing exploitation as addressed in the vendor fixes.
Enforces validation of jar: URL archive contents and extensions to block null byte interaction errors that misdetermine content types and enable disguised malicious payloads.
Deploys malicious code protection mechanisms to identify and block execution of hidden code in web extensions disguised as benign files like images.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses content type checks via null byte handling in jar: URLs, allowing malicious web extension code to be disguised as benign file types (e.g., images), directly enabling T1036.008 Masquerade File Type.
NVD Description
jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of…
more
content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
Deeper analysisAI
CVE-2025-1936 is a vulnerability in the handling of jar: URLs within Mozilla Firefox and Thunderbird. These URLs retrieve local file content packaged in a ZIP archive, but the parser ignored the null byte and everything after it when extracting the content, while using a fake extension placed after the null byte to determine the content type. This flaw, classified under CWE-158 (Null Byte Interaction Error), enabled attackers to hide malicious code within a web extension by disguising it as another file type, such as an image. Versions of Firefox prior to 136, Firefox ESR prior to 128.8, Thunderbird prior to 136, and Thunderbird prior to 128.8 are affected.
The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating it can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation allows limited impacts on confidentiality, integrity, and availability, primarily through the bypass of content type checks to deliver disguised malicious payloads, such as executable web extensions masquerading as benign files.
Mozilla has fixed this issue in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Security advisories MFSA 2025-14, MFSA 2025-16, MFSA 2025-17, and MFSA 2025-18, along with Bugzilla entry 1940027, provide further details on the patch and recommend immediate updates to mitigate the risk.
Details
- CWE(s)