Cyber Resilience

CVE-2025-1942

Critical

Published: 04 March 2025

Published
04 March 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 64.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1942 is a critical-severity Use of Uninitialized Resource (CWE-908) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 35.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1942 is a critical vulnerability (CVSS 9.8) in the String.toUpperCase() implementation within Mozilla's JavaScript engine, where converting a string to uppercase that results in a longer output could incorporate uninitialized memory into the resulting string (CWE-908). This affects Firefox and Thunderbird versions prior to 136.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), potentially allowing arbitrary memory read via crafted JavaScript input that triggers the faulty string expansion.

Mozilla addressed the issue in Firefox 136 and Thunderbird 136, as detailed in security advisories MFSA 2025-14 and MFSA 2025-17, along with the upstream bug report at Bugzilla #1947139. Security practitioners should prioritize updating affected browsers to mitigate remote code execution or information disclosure risks.

EU & UK References

Vulnerability details

When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string. This vulnerability was fixed in Firefox 136 and Thunderbird 136.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The CVE describes a remote, unauthenticated exploit in the Firefox/Thunderbird JavaScript engine via crafted JS input, enabling drive-by compromise of client applications and direct execution of malicious code or memory disclosure on the victim system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2758Same product: Mozilla Firefox
CVE-2026-8962Same product: Mozilla Firefox
CVE-2026-2790Same product: Mozilla Firefox
CVE-2026-2793Same product: Mozilla Firefox
CVE-2026-4720Same product: Mozilla Firefox
CVE-2025-1016Same product: Mozilla Firefox
CVE-2026-4721Same product: Mozilla Firefox
CVE-2026-2770Same product: Mozilla Firefox
CVE-2026-2775Same product: Mozilla Firefox
CVE-2026-6763Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 136.0
mozilla
thunderbird
≤ 136.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the vulnerable JavaScript engine in Firefox and Thunderbird versions prior to 136 to remediate the uninitialized memory incorporation flaw.

preventdetect

Requires vulnerability scanning to identify systems running affected browser versions and subsequent remediation to address CVE-2025-1942.

prevent

Implements memory safeguards like ASLR and DEP to mitigate unauthorized disclosure of uninitialized memory exploited via the String.toUpperCase() vulnerability.

References