QwikSec

Security Database

CVE

CWE

Training

CVE-2025-1936

Published: Mar 4, 2025

Modified: Apr 13, 2026

PUBLISHED

Description

jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

Vendor	Product	Versions
Mozilla	Firefox	unaffected `128.8 - <= 128.` unaffected `136 - <= `
Mozilla	Thunderbird	unaffected `128.8 - <= 128.` unaffected `136 - <= `

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1940027

https://www.mozilla.org/security/advisories/mfsa2025-14/

https://www.mozilla.org/security/advisories/mfsa2025-16/

https://www.mozilla.org/security/advisories/mfsa2025-17/

https://www.mozilla.org/security/advisories/mfsa2025-18/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.