CVE-2025-3608 - Vulnerability Details

- Race condition in nsHttpTransaction could lead to memory corruption

Description

A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability was fixed in Firefox 137.0.2.

Published: 2025-04-15

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a race condition in nsHttpTransaction, a component that handles HTTP requests in the browser. The flaw allows concurrent transactions to interfere with each other, corrupting the memory region that stores response data. This memory corruption can result in unexpected application behavior, including crashes or the corruption of data stored in the browser. The description does not confirm arbitrary code execution, so the impact is limited to instability and potential data integrity issues.

Affected Systems

Any Mozilla Firefox installation using a version earlier than 137.0.2 is susceptible. Versions 137.0.2 and later include the fix that removes the flawed synchronization.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. With an EPSS score of less than 1%, the probability of exploitation in the wild is low, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is browser‑based and requires an attacker to deliver malicious web content that triggers the race condition, as inferred from the requirement of concurrent HTTP transactions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`137.0.2`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox to version 137.0.2 or later to eliminate the race condition
Configure security settings to limit untrusted scripts and mixed content, reducing the chance of malicious HTTP traffic triggering the flaw
Enable browser policies that restrict extensions from performing heavy HTTP operations unless explicitly trusted

Generated by OpenCVE AI on April 20, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-10975	A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability affects Firefox < 137.0.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00185.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1951554
https://nvd.nist.gov/vuln/detail/CVE-2025-3608
https://www.cve.org/CVERecord?id=CVE-2025-3608
https://www.mozilla.org/security/advisories/mfsa2025-25/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability affects Firefox < 137.0.2.	A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability was fixed in Firefox 137.0.2.
Title	firefox: Race condition in nsHttpTransaction could lead to memory corruption	Race condition in nsHttpTransaction could lead to memory corruption

Wed, 21 May 2025 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
CPEs		cpe:2.3:a:mozilla:firefox::::::::
Vendors & Products		Mozilla Mozilla firefox

Sat, 19 Apr 2025 02:00:00 +0000

Type	Values Removed	Values Added
Title		firefox: Race condition in nsHttpTransaction could lead to memory corruption
Weaknesses		CWE-364
References		https://nvd.nist.gov/vuln/detail/CVE-2025-3608
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 18 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}`

Thu, 17 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-362
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 15 Apr 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability affects Firefox < 137.0.2.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1951554 https://www.cve.org/CVERecord?id=CVE-2025-3608 https://www.mozilla.org/security/advisories/mfsa2025-25/

Subscriptions

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-04-15T12:57:28.868Z

Updated: 2026-04-13T14:27:49.219Z

Reserved: 2025-04-14T20:03:44.238Z

Link: CVE-2025-3608

Vulnrichment

Updated: 2025-04-17T17:46:52.935Z

NVD

Status : Modified

Published: 2025-04-15T13:15:55.590

Modified: 2026-04-13T15:16:58.020

Link: CVE-2025-3608

Redhat

Severity : Important

Publid Date: 2025-04-15T12:57:28Z

Links: CVE-2025-3608 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object