CVE-2025-1932

high

Published 2025-03-05 · Modified 2025-03-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.0

Description

RHSA-2025:2452: firefox security update (Important)

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description firefox: Inconsistent comparator in XSLT sorting led to out-of-bounds access Red Hat statement Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. CVSS v3: 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 7 Extended Lifecycle…

Description

firefox: Inconsistent comparator in XSLT sorting led to out-of-bounds access

Red Hat statement

Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.

CVSS v3: 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 7 Extended Lifecycle Support	`firefox-0:128.8.0-1.el7_9`	RHSA-2025:2699	2025-03-13T00:00:00Z
Red Hat Enterprise Linux 8	`firefox-0:128.8.0-1.el8_10`	RHSA-2025:2452	2025-03-06T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support	`firefox-0:128.8.0-1.el8_2`	RHSA-2025:2708	2025-03-13T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	`firefox-0:128.8.0-1.el8_4`	RHSA-2025:2484	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	`firefox-0:128.8.0-1.el8_4`	RHSA-2025:2484	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	`firefox-0:128.8.0-1.el8_4`	RHSA-2025:2484	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	`firefox-0:128.8.0-1.el8_6`	RHSA-2025:2485	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service	`firefox-0:128.8.0-1.el8_6`	RHSA-2025:2485	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	`firefox-0:128.8.0-1.el8_6`	RHSA-2025:2485	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support	`firefox-0:128.8.0-1.el8_8`	RHSA-2025:2486	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 9	`firefox-0:128.8.0-1.el9_5`	RHSA-2025:2359	2025-03-05T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	`firefox-0:128.8.0-1.el9_0`	RHSA-2025:2481	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support	`firefox-0:128.8.0-1.el9_2`	RHSA-2025:2480	2025-03-10T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support	`firefox-0:128.8.0-1.el9_4`	RHSA-2025:2479	2025-03-10T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 10	`firefox`	Affected
Red Hat Enterprise Linux 10	`firefox-flatpak-container`	Affected
Red Hat Enterprise Linux 6	`firefox`	Out of support scope
Red Hat Enterprise Linux 9	`firefox-flatpak-container`	Affected

Apply commands

bash fix

Apply RHSA-2025:2699 for Red Hat Enterprise Linux 7 Extended Lifecycle Support

yum update -y firefox
# or:
dnf upgrade -y firefox

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 9	`Affected`

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
rocky	8	fixed
debian	sid	fixed	`136.0-1`
debian	bookworm	fixed	`128.8.0esr-1~deb12u1`
debian	bullseye	fixed	`128.8.0esr-1~deb11u1`
debian	forky	fixed	`128.8.0esr-1`
debian	trixie	fixed	`128.8.0esr-1`
sles		affected
rhel	8	fixed

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.