CVE-2025-1932

Published Mar 4, 2025

Last updated a month ago

CVSS high 8.1

Mozilla

Firefox

Thunderbird

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-1932 involves an inconsistent comparator in `xslt/txNodeSorter` that could lead to potentially exploitable out-of-bounds access. This vulnerability affects Mozilla Firefox and Thunderbird. Specifically, it impacts Firefox versions prior to 136, Firefox ESR versions prior to 128.8, Thunderbird versions prior to 136, and Thunderbird versions prior to 128.8. The vulnerability resides in versions 122 and later. An attacker could potentially exploit this to gain unauthorized access to sensitive system memory, execute arbitrary code, and compromise the confidentiality and availability of affected systems.

Description: An inconsistent comparator in xslt/txNodeSorter could have resulted in potentially exploitable out-of-bounds access. Only affected version 122 and later. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
Source: security@mozilla.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.1
Impact score: 5.2
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Severity: HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-125

Hype score: Not currently trending

I shared an example earlier for fuzzing libxslt with Jackalope's grammar mutator. But Firefox has its own XSLT implementation, how do we fuzz browser code? The following .patch demonstrates how to do that. It is the setup that resulted in CVE-2025-1932. https://t.co/JAofTCIqgh
@ifsecure
8 Apr 2025
6640 Impressions
20 Retweets
96 Likes
54 Bookmarks
1 Reply
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "51A0498A-4BF8-4166-A347-78023C0A6B33",
            "versionEndExcluding": "128.8.0"
          },
          {
            "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7DB4CDD0-EC54-43D0-ACB2-F159ABA53D2C",
            "versionEndExcluding": "136.0"
          },
          {
            "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "99F8DD82-EEDB-4C5E-9C4A-0F83E492B4CE",
            "versionEndExcluding": "128.8.0",
            "versionStartIncluding": "]"
          },
          {
            "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "93C81C9D-FC2E-4D7D-A97F-8DB97ED92192",
            "versionEndExcluding": "136.0",
            "versionStartIncluding": "129.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]