CVE-2025-1932 is a vulnerability identified in the XSLT processing component of Mozilla Firefox and Thunderbird, specifically within the xslt/txNodeSorter module responsible for sorting nodes during XSLT transformations. The root cause is an inconsistent comparator function used during sorting, which can lead to out-of-bounds memory access (CWE-125). This memory corruption flaw arises when the comparator does not maintain a consistent ordering, causing the sorting algorithm to access memory outside the bounds of allocated arrays. Such out-of-bounds access can be exploited by attackers to trigger crashes (denial of service) or potentially execute arbitrary code in the context of the affected application. The vulnerability affects Firefox versions starting from 122 up to but not including 136, Firefox ESR versions prior to 128.8, and Thunderbird versions prior to 136 and ESR versions prior to 128.8. Exploitation requires no privileges but does require user interaction, such as visiting a maliciously crafted webpage or opening a malicious email containing specially crafted XSLT content. The CVSS v3.1 base score is 8.1, reflecting high severity due to network attack vector, low attack complexity, no privileges required, but requiring user interaction, with high impact on confidentiality and availability but no impact on integrity. No public exploits are currently known, but the potential for exploitation exists given the nature of the flaw and the widespread use of Firefox and Thunderbird. The vulnerability was publicly disclosed on March 4, 2025, and users are advised to update to fixed versions (Firefox 136+, Thunderbird 136+, ESR 128.8+).

For European organizations, this vulnerability poses a significant risk due to the widespread use of Mozilla Firefox and Thunderbird in enterprise and government environments. Successful exploitation could lead to denial of service, disrupting critical web-based services and email communications, or potentially allow remote code execution, compromising system confidentiality and availability. This could result in data breaches, loss of sensitive information, or disruption of business operations. Organizations relying on Firefox or Thunderbird for secure communications or web access are particularly at risk. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger the exploit. Given the high CVSS score and the critical role of these applications, the impact on sectors such as finance, government, healthcare, and critical infrastructure in Europe could be substantial if unpatched systems are targeted.

European organizations should immediately verify the versions of Firefox and Thunderbird deployed across their environments and prioritize upgrading to Firefox 136 or later, Thunderbird 136 or later, or ESR 128.8 or later. Where immediate patching is not feasible, organizations should implement network-level protections such as web filtering to block access to potentially malicious websites hosting crafted XSLT content. Email gateways should be configured to detect and quarantine suspicious emails containing XSLT or XML attachments. User awareness training should emphasize the risks of interacting with untrusted web content or email attachments. Additionally, organizations should monitor endpoint behavior for crashes or anomalies related to Firefox or Thunderbird processes, which could indicate exploitation attempts. Employing application whitelisting and sandboxing for these applications can further reduce exploitation risk. Finally, maintaining up-to-date intrusion detection and prevention systems with signatures for this vulnerability will help detect and block exploit attempts.