CVE-2025-1937: 
NixOS vulnerability analysis and mitigation

CVE-2025-1937 addresses memory safety bugs discovered in multiple Mozilla products. The vulnerability was disclosed on March 4, 2025, affecting Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. The issue was identified by the Mozilla Fuzzing Team and Andrew McCreight (Mozilla Advisory).

The vulnerability represents multiple memory safety bugs that showed evidence of memory corruption. The issue received a CVSS 3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability was classified under CWE-1260 (Improper Handling of Overlap Between Protected Memory Ranges) (NVD).

The memory safety bugs showed evidence of memory corruption with the potential for arbitrary code execution if sufficient effort was applied to exploit them. The vulnerability affects multiple versions of Firefox and Thunderbird, including both regular and ESR releases (Mozilla Advisory).

Mozilla has addressed these vulnerabilities in Firefox 136, Thunderbird 136, Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8. Users are advised to upgrade to these versions or later to mitigate the risk (Mozilla Advisory).

Security researchers have noted that while the vulnerability affects both desktop and mobile versions, the desktop versions were rated as high severity rather than critical (OSS Security).