PT-2025-9661 · Mozilla+11 · Firefox+11

Surya Dev Singh

·

Published

2025-03-04

·

Updated

2025-07-22

·

CVE-2025-1936

CVSS v3.1

7.3

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 136 Firefox ESR versions prior to 128.8
Description The issue allows jar: URLs to retrieve local file content packaged in a ZIP archive. When retrieving content from the archive, anything after a null character is ignored, but a fake extension after the null can be used to determine the content type. This could be exploited to hide code in a web extension disguised as a different file type, such as an image.
Recommendations For Firefox versions prior to 136, update to version 136 or later. For Firefox ESR versions prior to 128.8, update to version 128.8 or later.

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-158CWE-754

Related Identifiers

ALSA-2025:2359
ALSA-2025:2452
ALT-PU-2025-3905
ALT-PU-2025-4001
ALT-PU-2025-4567
ALT-PU-2025-5829
ALT-PU-2025-7695
ALT-PU-2025-7697
BDU:2025-02600
CESA-2025_2452
CVE-2025-1936
DLA-4078-1
DLA-4081-1
DSA-5874-1
DSA-5876-1
INFSA-2025_2359
INFSA-2025_2452
MGASA-2025-0092
MGASA-2025-0093
OESA-2025-1265
OESA-2025-1266
OESA-2025-1267
OESA-2025-1268
OESA-2025-1835
OPENSUSE-SU-2025:14852-1
OPENSUSE-SU-2025:14853-1
OPENSUSE-SU-2025:14861-1
OPENSUSE-SU-2025_0788-1
OPENSUSE-SU-2025_0849-1
RHSA-2025:2359
RHSA-2025:2452
RHSA-2025:2479
RHSA-2025:2480
RHSA-2025:2481
RHSA-2025:2484
RHSA-2025:2485
RHSA-2025:2486
RHSA-2025:2699
RHSA-2025:2708
RHSA-2025_2359
RHSA-2025_2452
SUSE-SU-2025:0783-1
SUSE-SU-2025:0788-1
SUSE-SU-2025:0849-1
SUSE-SU-2025_0783-1
USN-7334-1
USN-7663-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Firefox
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu