Home > Vulnerability Database > CVE-2025-1936

Mend.io Vulnerability Database

CVE-2025-1936

Date: March 4, 2025

jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.

Severity Score

7.3

Related Resources (7)

Url: https://www.mozilla.org/security/advisories/mfsa2025-18/

Url: https://www.mozilla.org/security/advisories/mfsa2025-14/

Url: https://www.mozilla.org/security/advisories/mfsa2025-17/

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-1936

Url: https://www.mozilla.org/security/advisories/mfsa2025-16/

Url: https://bugzilla.mozilla.org/show_bug.cgi?id=1940027

Url: https://www.mend.io/vulnerability-database/CVE-2025-1936

Severity Score

7.3

Weakness Type (CWE)

Improper Neutralization of Null Byte or NUL Character

CWE-158

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-1936

Date: March 4, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?