CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
CVE-2025-1936: jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the...
Description
jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136 and Firefox ESR < 128.8.
Classification
CVE ID: CVE-2025-1936
Problem Types
Adding %00 and a fake extension to a jar: URL changed the interpretation of the contentsAffected Products
Vendor: Mozilla, Mozilla
Product: Firefox, Firefox ESR
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.13% (probability of being exploited)
EPSS Percentile: 28.75% (scored less or equal to compared to others)
EPSS Date: 2025-04-02 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-1936https://bugzilla.mozilla.org/show_bug.cgi?id=1940027
https://www.mozilla.org/security/advisories/mfsa2025-14/
https://www.mozilla.org/security/advisories/mfsa2025-16/