CVE-2025-1930: 
NixOS vulnerability analysis and mitigation

CVE-2025-1930 is a high-severity vulnerability discovered in Mozilla products, disclosed on March 4, 2025. The vulnerability affects Firefox < 136, Firefox ESR < 115.21, Firefox ESR < 128.8, Thunderbird < 136, and Thunderbird < 128.8. This security flaw was discovered by researcher dalmurino and involves a use-after-free vulnerability in the Browser process on Windows systems (Mozilla Advisory).

The vulnerability stems from a compromised content process that could exploit bad StreamData sent over AudioIPC to trigger a use-after-free condition in the Browser process. The issue has been assigned a CVSS 3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-416 (Use After Free) (NVD).

The vulnerability could lead to a sandbox escape, potentially allowing an attacker to execute arbitrary code outside the confined browser environment. The high CVSS score indicates that successful exploitation could result in significant impacts to confidentiality, integrity, and availability of the affected system (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. Users are strongly advised to update their installations to these versions or later to mitigate the risk (Mozilla Advisory).