{"api_version":"1","generated_at":"2026-04-23T10:41:58+00:00","cve":"CVE-2025-1936","urls":{"html":"https://cve.report/CVE-2025-1936","api":"https://cve.report/api/cve/CVE-2025-1936.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-1936","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-1936"},"summary":{"title":"Adding %00 and a fake extension to a jar: URL  changed the interpretation of the contents","description":"jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.","state":"PUBLISHED","assigner":"mozilla","published_at":"2025-03-04 14:15:38","updated_at":"2026-04-13 15:16:52"},"problem_types":["CWE-158","CWE-158 CWE-158 Improper Neutralization of Null Byte or NUL Character"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"}}],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html","name":"https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-14/","name":"https://www.mozilla.org/security/advisories/mfsa2025-14/","refsource":"security@mozilla.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-16/","name":"https://www.mozilla.org/security/advisories/mfsa2025-16/","refsource":"security@mozilla.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-17/","name":"https://www.mozilla.org/security/advisories/mfsa2025-17/","refsource":"security@mozilla.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-18/","name":"https://www.mozilla.org/security/advisories/mfsa2025-18/","refsource":"security@mozilla.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1940027","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1940027","refsource":"security@mozilla.org","tags":["Permissions Required"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-1936","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-1936","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Mozilla","product":"Firefox","version":"unaffected 128.8 128.* rpm","platforms":[]},{"source":"CNA","vendor":"Mozilla","product":"Firefox","version":"unaffected 136 * rpm","platforms":[]},{"source":"CNA","vendor":"Mozilla","product":"Thunderbird","version":"unaffected 128.8 128.* rpm","platforms":[]},{"source":"CNA","vendor":"Mozilla","product":"Thunderbird","version":"unaffected 136 * rpm","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Surya Dev Singh","lang":"en"}],"nvd_cpes":[{"cve_year":"2025","cve_id":"1936","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"1936","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"esr","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2025","cve_id":"1936","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":7.3,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","version":"3.1"}},{"other":{"content":{"id":"CVE-2025-1936","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2025-03-25T17:55:09.593793Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-158","description":"CWE-158 Improper Neutralization of Null Byte or NUL Character","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-03-26T16:29:31.244Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-03T20:57:22.527Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"Firefox","vendor":"Mozilla","versions":[{"lessThanOrEqual":"128.*","status":"unaffected","version":"128.8","versionType":"rpm"},{"lessThanOrEqual":"*","status":"unaffected","version":"136","versionType":"rpm"}]},{"product":"Thunderbird","vendor":"Mozilla","versions":[{"lessThanOrEqual":"128.*","status":"unaffected","version":"128.8","versionType":"rpm"},{"lessThanOrEqual":"*","status":"unaffected","version":"136","versionType":"rpm"}]}],"credits":[{"lang":"en","value":"Surya Dev Singh"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8."}],"value":"jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8."}],"providerMetadata":{"dateUpdated":"2026-04-13T14:27:43.945Z","orgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","shortName":"mozilla"},"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1940027"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-14/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-16/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-17/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-18/"}],"title":"Adding %00 and a fake extension to a jar: URL  changed the interpretation of the contents"}},"cveMetadata":{"assignerOrgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","assignerShortName":"mozilla","cveId":"CVE-2025-1936","datePublished":"2025-03-04T13:31:26.282Z","dateReserved":"2025-03-04T12:29:40.207Z","dateUpdated":"2026-04-13T14:27:43.945Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-03-04 14:15:38","lastModifiedDate":"2026-04-13 15:16:52","problem_types":["CWE-158","CWE-158 CWE-158 Improper Neutralization of Null Byte or NUL Character"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*","versionEndExcluding":"128.8.0","matchCriteriaId":"51A0498A-4BF8-4166-A347-78023C0A6B33"},{"vulnerable":true,"criteria":"cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*","versionEndExcluding":"136.0","matchCriteriaId":"0FD416E8-4DD8-434A-AD75-86F38562E720"},{"vulnerable":true,"criteria":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"128.8.0","matchCriteriaId":"D3C5A2B6-C7B5-4888-B0A7-9DA0C3024C71"},{"vulnerable":true,"criteria":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionStartIncluding":"129.0","versionEndExcluding":"136.0","matchCriteriaId":"93C81C9D-FC2E-4D7D-A97F-8DB97ED92192"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"1936","Ordinal":"1","Title":"Adding %00 and a fake extension to a jar: URL  changed the inter","CVE":"CVE-2025-1936","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"1936","Ordinal":"1","NoteData":"jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.","Type":"Description","Title":"Adding %00 and a fake extension to a jar: URL  changed the inter"}]}}}