Description
jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
Published: 2025-03-04
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

jar: URLs are used to retrieve local file content packaged in a ZIP archive. The vulnerability lies in the interpretation of null bytes and the following fake extension: when a jar URL contains a null byte followed by a fake extension, the null byte and the following content are ignored when retrieving the archive, but the fake extension is used to determine the type of content. This allows malicious code to be concealed inside a file that appears to be an image or other benign content, enabling the code to be executed by the browser as part of a web extension. The impact is the ability for an attacker to execute arbitrary code within the browser context or through a malicious extension, potentially compromising the confidentiality, integrity, or availability of the user’s system.

Affected Systems

Mozilla Firefox prior to version 136 (or ESR 128.8) and Mozilla Thunderbird prior to version 136 (or ESR 128.8) are affected. The issue arises when a browser loads a jar: URL from a web extension or other source. Operating systems such as Red Hat Enterprise Linux, though listed as CPEs, are not directly impacted unless they run the affected browsers. Systems using the affected browser versions should upgrade to the patched releases to eliminate the vulnerability.

Risk and Exploitability

With a CVSS score of 7.3 the vulnerability is classified as high severity. The EPSS score of less than 1 % indicates a low probability of exploitation, and the vulnerability is not yet recorded in the CISA KEV catalog. Exploitation requires the attacker to supply a jar: URL that contains a null byte followed by a fake extension, typically within the context of a malicious or compromised web extension. The attacker must have the ability to deliver or install that extension, so the attack surface is limited to users who install extensions or visit sites that can define such URLs. While the risk is not trivial, the likelihood of widespread exploitation remains low under the current conditions.

Generated by OpenCVE AI on April 20, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 136 or later, or ESR 128.8, and update Mozilla Thunderbird to version 136 or later, or ESR 128.8.
  • If an update cannot be performed immediately, avoid using jar: URLs and review the source of any extensions that rely on jar: protocol, removing or disabling them until patching is performed.
  • Validate and audit any third‑party extensions for unexpected hidden files or unusual MIME type declarations before installation.

Generated by OpenCVE AI on April 20, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4078-1 firefox-esr security update
Debian DLA Debian DLA DLA-4081-1 thunderbird security update
Debian DSA Debian DSA DSA-5874-1 firefox-esr security update
Debian DSA Debian DSA DSA-5876-1 thunderbird security update
EUVD EUVD EUVD-2025-7441 jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
Ubuntu USN Ubuntu USN USN-7334-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8. jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
Title firefox: Adding %00 and a fake extension to a jar: URL changed the interpretation of the contents Adding %00 and a fake extension to a jar: URL changed the interpretation of the contents

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Tue, 24 Jun 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Wed, 26 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-158

Tue, 25 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Fri, 14 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Mon, 10 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus

Fri, 07 Mar 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8

Thu, 06 Mar 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 05 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
Title firefox: Adding %00 and a fake extension to a jar: URL changed the interpretation of the contents
Weaknesses CWE-754
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

threat_severity

Low

Wed, 05 Mar 2025 00:00:00 +0000

Type Values Removed Values Added
Description jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136 and Firefox ESR < 128.8. jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.
References

Tue, 04 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136 and Firefox ESR < 128.8.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:43.945Z

Reserved: 2025-03-04T12:29:40.207Z

Link: CVE-2025-1936

cve-icon Vulnrichment

Updated: 2025-11-03T20:57:22.527Z

cve-icon NVD

Status : Modified

Published: 2025-03-04T14:15:38.500

Modified: 2026-04-13T15:16:52.820

Link: CVE-2025-1936

cve-icon Redhat

Severity : Low

Publid Date: 2025-03-04T13:31:26Z

Links: CVE-2025-1936 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses