{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1934", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-03-04T12:29:35.333Z", "datePublished": "2025-03-04T13:31:24.734Z", "dateUpdated": "2026-04-13T14:27:40.069Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.8", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "136", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.8", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "136", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8."}]}], "title": "Unexpected GC during RegExp bailout processing", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1942881"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-16/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}], "credits": [{"lang": "en", "value": "Nils Bars"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:40.069Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T15:50:25.693188Z", "id": "CVE-2025-1934", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-25T14:19:41.602Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:57:19.643Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T20:57:19.643Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-1934", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-04T15:50:25.693188Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T15:53:07.941Z"}}], "cna": {"title": "Unexpected GC during RegExp bailout processing", "credits": [{"lang": "en", "value": "Nils Bars"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "128.8", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "136", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.8", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "136", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1942881"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-16/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}], "descriptions": [{"lang": "en", "value": "It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.", "supportingMedia": [{"type": "text/html", "value": "It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:40.069Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1934", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:27:40.069Z", "dateReserved": "2025-03-04T12:29:35.333Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-03-04T13:31:24.734Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "51A0498A-4BF8-4166-A347-78023C0A6B33", "versionEndExcluding": "128.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DB4CDD0-EC54-43D0-ACB2-F159ABA53D2C", "versionEndExcluding": "136.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3C5A2B6-C7B5-4888-B0A7-9DA0C3024C71", "versionEndExcluding": "128.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "93C81C9D-FC2E-4D7D-A97F-8DB97ED92192", "versionEndExcluding": "136.0", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8."}, {"lang": "es", "value": "Se pudo interrumpir el procesamiento de un rescate de RegExp y ejecutar JavaScript adicional, lo que podr\u00eda activar la recolecci\u00f3n de basura cuando el motor no lo esperaba. Esta vulnerabilidad afecta a Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136 y Thunderbird < 128.8."}], "id": "CVE-2025-1934", "lastModified": "2026-04-13T15:16:52.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-04T14:15:38.273", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1942881"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-14/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-16/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-17/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-18/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:2699", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.8.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-03-13T00:00:00Z"}, {"advisory": "RHSA-2025:2452", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.8.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-03-06T00:00:00Z"}, {"advisory": "RHSA-2025:2708", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.8.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-03-13T00:00:00Z"}, {"advisory": "RHSA-2025:2484", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.8.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2484", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.8.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2484", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.8.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2485", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.8.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2485", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.8.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2485", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.8.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2486", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.8.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2359", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.8.0-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-03-05T00:00:00Z"}, {"advisory": "RHSA-2025:2481", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.8.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2480", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.8.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-03-10T00:00:00Z"}, {"advisory": "RHSA-2025:2479", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "firefox-0:128.8.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-03-10T00:00:00Z"}], "bugzilla": {"description": "firefox: Unexpected GC during RegExp bailout processing", "id": "2349790", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349790"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-460", "details": ["It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it. This vulnerability affects Firefox < 136, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it."], "name": "CVE-2025-1934", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-03-04T13:31:24Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-1934\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-1934\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1942881\nhttps://www.mozilla.org/security/advisories/mfsa2025-14/\nhttps://www.mozilla.org/security/advisories/mfsa2025-16/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}