First published: Tue Mar 04 2025(Updated: )
It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it.
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Firefox | <136 | |
Firefox ESR | <128.8 | |
Thunderbird | <128.8 | 128.8 |
Firefox | <136 | 136 |
Firefox ESR | <128.8 | 128.8 |
Thunderbird | <136 | 136 |
debian/firefox | 136.0.1-1 | |
debian/firefox-esr | <=115.14.0esr-1~deb11u1<=128.5.0esr-1~deb12u1 | 128.8.0esr-1~deb11u1 128.8.0esr-1~deb12u1 128.8.0esr-1 |
debian/thunderbird | <=1:115.12.0-1~deb11u1<=1:128.5.0esr-1~deb12u1 | 1:128.8.0esr-1~deb11u1 1:128.8.0esr-1~deb12u1 1:128.8.0esr-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2025-1934 is considered a medium severity vulnerability due to its potential to interrupt RegExp processing and execute unintended JavaScript.
To fix CVE-2025-1934, update your Mozilla Firefox to version 136 or Mozilla Firefox ESR to version 128.8 or later.
CVE-2025-1934 affects Mozilla Firefox versions prior to 136 and Firefox ESR versions prior to 128.8.
Yes, CVE-2025-1934 can allow the execution of additional JavaScript, which may lead to arbitrary code execution under certain conditions.
CVE-2025-1934 is associated with a potential code execution attack through RegExp bailouts in specific versions of Mozilla Firefox.