Mozilla Firefox
Moderate fix1 remedy
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*, +2 more
Moderate fix1 remedy
- < 136
Mozilla Firefox and Thunderbird jar: URL Content Interpretation Vulnerability
Vulnerability
Patched
A vulnerability exists in Firefox versions prior to 136, Firefox ESR versions prior to 128.8, Thunderbird versions prior to 136, and Thunderbird ESR versions prior to 128.8. This vulnerability involves jar: URLs, which retrieve local file content packaged in a ZIP archive. The null character and everything following it were ignored when accessing the archive's contents, but the fake extension added after the null was used to determine the type of content. This could have allowed code in a web extension to be concealed as something innocuous, like an image.
Impact
Exploitation of this vulnerability could have led to the execution of hidden code within a web extension, potentially causing harm to the user or their system.
Remediation
Users can update to Firefox 136, Firefox ESR 128.8, Thunderbird 136, or Thunderbird ESR 128.8 to address this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
8.4impact
5.0exploitability
4.4remediation
7.7relevance
0.0threat
0.0urgency
2.9incentive
0.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.