Firefox 137 Update Patches Multiple High-Severity Security Flaws

Mozilla has officially released Firefox 137, a significant update aimed at addressing multiple security vulnerabilities, including high-severity flaws that could have been exploited for malicious purposes.

The update underscores Mozilla’s commitment to ensuring user safety by patching issues that posed risks such as arbitrary code execution, data leaks, and privilege escalation.

Key Vulnerabilities Fixed in Firefox 137

The latest release resolves eight security vulnerabilities, categorized by their severity and potential impact.

Below is a summary of the most critical fixes:

1. CVE-2025-3028: Use-After-Free in XSLTProcessor (High Severity)
Reported by Ivan Fratric of Google Project Zero, this vulnerability involved a use-after-free scenario triggered by JavaScript code running during document transformation with the XSLTProcessor. If exploited, attackers could access freed memory, potentially leading to arbitrary code execution. This flaw was tracked under Bug 1941002.

2. CVE-2025-3030 & CVE-2025-3034: Memory Safety Bugs (High Severity)
Memory safety bugs identified in Firefox 136 and Thunderbird 136 showed evidence of memory corruption. These vulnerabilities were reported by the Mozilla Fuzzing Team and others. Exploitation could allow attackers to execute arbitrary code. These issues were collectively tracked under Bugs 1950056 and 1952268.

3. CVE-2025-3031: JIT Optimization Bug (Moderate Severity)
This flaw allowed attackers to read 32-bit values spilled onto the stack in JIT-compiled functions due to discrepancies in stack slot sizes. Reported by researcher Anbu, this vulnerability was tracked under Bug 1947141.

4. CVE-2025-3029: URL Bar Spoofing via Unicode Characters (Moderate Severity)
Renwa Hiwa discovered that carefully crafted URLs containing non-BMP Unicode characters could obscure the true origin of a webpage, enabling potential phishing or spoofing attacks. This issue was documented under Bug 1952213.

5. CVE-2025-3032: File Descriptor Leak from Fork Server (Moderate Severity)
As reported by Thinker Li, this vulnerability involved leaking file descriptors from the fork server to web content processes, which could enable privilege escalation attacks. This issue was tracked under Bug 1949987.

6. CVE-2025-3033: Malicious File Upload via Local .url Files (Low Severity)
Ameen Basha M K identified a Windows-specific vulnerability where selecting a malicious .url shortcut could lead to unintended file uploads. This issue affected only Windows systems and was documented under Bug 1950056.

Broader Implications

The vulnerabilities addressed in Firefox 137 highlight critical areas of concern for browser security:

• Memory Safety: Issues like CVE-2025-3030 and CVE-2025-3034 emphasize the importance of robust memory management to prevent exploitation through memory corruption.
• User Interface Integrity: URL bar spoofing (CVE-2025-3029) demonstrates how even minor interface flaws can have significant security implications.
• Cross-System Security: The file descriptor leak (CVE-2025-3032) underscores the need for secure inter-process communication mechanisms.

Update Recommendations

Mozilla strongly advises users to update their browsers immediately to mitigate these risks:

1. For Firefox Users: Update to version 137 via the browser’s built-in update feature or download it from Mozilla’s official website.
2. For Thunderbird Users: Update to Thunderbird 137 or Thunderbird ESR 128.9 if applicable.
3. For Enterprise Users: Ensure Firefox ESR installations are updated to version 128.9.

While no evidence suggests that these vulnerabilities have been exploited in the wild, their potential impact underscores the need for timely updates to maintain system security.

Mozilla’s proactive approach in addressing these issues highlights its dedication to user safety and secure browsing experiences.

For detailed technical information on these vulnerabilities, users can refer to Mozilla’s official security advisory, MFSA 2025-20.

Also Read: