Mozilla Products March 2025 1st Security Update Advisory

Overview

 

An update has been made available to fix vulnerabilities in the Mozilla family of products (Thunderbird, Firefox ESR, Firefox versions). Users of affected products are advised to update to the latest version.

 

Affected Products

 

Firefox 136 and earlier

Firefox ESR 115.21 and earlier

Firefox ESR 128.8 and earlier

Thunderbird 128.8 and earlier

Thunderbird 136 and earlier

 

Resolved Vulnerabilities

 

Critical Overflow Vulnerability in Firefox ESR, Thunderbird (CVE-2024-43097) [1], [3], [4]

A high-level tapjacking vulnerability exists in Firefox (CVE-2025-1939) [5]

A moderate Bluetooth in-range Passkey phishing vulnerability exists in Firefox (CVE-2024-9956) [5]

A moderate key information bypass vulnerability exists in Firefox (CVE-2025-1941) [5]

Moderate Android intent confirmation prompt tapjacking vulnerability in the Select options feature in Firefox (CVE-2025-1940) [5]

High-level JIT corruption of WASM i32 return value on 64-bit CPUs in Firefox, Firefox ESR, and Thunderbird (CVE-2025-1933) [1], [2], [3], [4], [5]

High Level Memory Security Validation Error Vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2025-1937) [1], [2], [3], [4], [5]

High-level memory free-and-reuse (UAF) vulnerability in the Browser process function in Firefox, Firefox ESR, and Thunderbird (CVE-2025-1930) [1], [2], [3], [4], [5]

High Level Memory Free and Reuse (UAF) Vulnerability in the WebTransportChild Function in Firefox, Firefox ESR, and Thunderbird (CVE-2025-1931) [1], [2], [3], [4], [5]

High-level Inconsistent Comparator Vulnerability in Firefox, Firefox ESR, and Thunderbird (CVE-2025-1932) [1], [2], [3], [4], [5

Moderate level vulnerability in Firefox, Firefox ESR, and Thunderbird that results in unexpected GC during RegExp bailout handling (CVE-2025-1934) [1], [2], [3], [5]

Firefox, Thunderbird Moderate .toUpperCase() vulnerability in Thunderbird allows uninitialized memory to be disclosed when a string becomes long (CVE-2025-1942) [2], [5]

 

Vulnerability Patches

 

With the 03/04/2025 update, Vulnerability Patches were made available as follows. For more information on Vulnerability Patches, please refer to the “Mozilla” Referenced Sites documentation.

Thunderbird version 128.8

Thunderbird version 136

Firefox ESR 128.8

Firefox ESR 115.21

Firefox 136 version

 

Referenced Sites

 

[1] Security Vulnerabilities fixed in Thunderbird ESR 128.8

https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/

[2] Security Vulnerabilities fixed in Thunderbird 136

https://www.mozilla.org/en-US/security/advisories/mfsa2025-17/

[3] Security Vulnerabilities fixed in Firefox ESR 128.8

https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/

[4] Security Vulnerabilities fixed in Firefox ESR 115.21

https://www.mozilla.org/en-US/security/advisories/mfsa2025-15/

[5] Security Vulnerabilities fixed in Firefox 136

https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/

[6] Update Firefox to the latest release

https://support.mozilla.org/ko/kb/update-firefox-latest-release