Cyber Resilience

CVE-2025-1937

HighPublic PoC

Published: 04 March 2025

Published
04 March 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0026 49.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1937 is a high-severity Improper Handling of Overlap Between Protected Memory Ranges (CWE-1260) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-1937 involves multiple memory safety bugs classified under CWE-1260, present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs demonstrated evidence of memory corruption, which Mozilla presumes could be exploited to achieve arbitrary code execution with sufficient effort. The vulnerability carries a CVSS v3.1 base score of 7.5.

Remote attackers can exploit CVE-2025-1937 over the network without privileges, though it requires high attack complexity and user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution in the context of the affected browser or mail client.

Mozilla advisories MFSA2025-14, MFSA2025-15, MFSA2025-16, and MFSA2025-17 detail the fixes, which are available in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Additional technical details are provided in Bugzilla entries for bugs 1938471 and 1940716. Security practitioners should prioritize updating affected instances to mitigate this issue.

EU & UK References

Vulnerability details

Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been…

more

exploited to run arbitrary code. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Memory corruption bugs enabling arbitrary code execution in client applications (browser/mail client) directly map to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-9179Same product: Mozilla Firefox
CVE-2026-6753Same product: Mozilla Firefox
CVE-2025-1943Same product: Mozilla Firefox
CVE-2026-2767Same product: Mozilla Firefox
CVE-2025-1017Same product: Mozilla Firefox
CVE-2026-2792Same product: Mozilla Firefox
CVE-2025-9185Same product: Mozilla Firefox
CVE-2026-8949Same product: Mozilla Firefox
CVE-2026-8973Same product: Mozilla Firefox
CVE-2025-9184Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 115.21.0 · ≤ 128.8.0 · ≤ 135.0
mozilla
thunderbird
≤ 128.8.0 · 129.0 — 136.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of software flaws like the memory safety bugs in CVE-2025-1937 to prevent arbitrary code execution.

prevent

Implements controls such as address space layout randomization and data execution prevention to minimize exploitation of memory corruption vulnerabilities in CVE-2025-1937.

prevent

Enforces process isolation in browsers like Firefox and Thunderbird to contain potential arbitrary code execution resulting from CVE-2025-1937 memory safety bugs.

References