{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3608", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-04-14T20:03:44.238Z", "datePublished": "2025-04-15T12:57:28.868Z", "dateUpdated": "2026-04-13T14:27:49.219Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "137.0.2", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability was fixed in Firefox 137.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability was fixed in Firefox 137.0.2."}]}], "title": "Race condition in nsHttpTransaction could lead to memory corruption", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1951554"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-3608", "name": "CVE-2025-3608"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-25/"}], "credits": [{"lang": "en", "value": "The Mozilla Fuzzing Team"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:49.219Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3608", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T03:55:07.062337Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:28:22.871Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3608", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-16T03:55:07.062337Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T17:46:52.935Z"}}], "cna": {"title": "Race condition in nsHttpTransaction could lead to memory corruption", "credits": [{"lang": "en", "value": "The Mozilla Fuzzing Team"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "137.0.2", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1951554"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-3608", "name": "CVE-2025-3608"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-25/"}], "descriptions": [{"lang": "en", "value": "A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability was fixed in Firefox 137.0.2.", "supportingMedia": [{"type": "text/html", "value": "A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability was fixed in Firefox 137.0.2.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:49.219Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3608", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:27:49.219Z", "dateReserved": "2025-04-14T20:03:44.238Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-04-15T12:57:28.868Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "95227E2D-E67B-4837-86BB-C031F0E0BE64", "versionEndExcluding": "137.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability was fixed in Firefox 137.0.2."}, {"lang": "es", "value": "Exist\u00eda una condici\u00f3n de ejecuci\u00f3n en nsHttpTransaction que podr\u00eda haberse explotado para causar corrupci\u00f3n de memoria, lo que podr\u00eda dar lugar a una condici\u00f3n explotable. Esta vulnerabilidad afecta a Firefox anterior a la versi\u00f3n 137.0.2."}], "id": "CVE-2025-3608", "lastModified": "2026-04-13T15:16:58.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-15T13:15:55.590", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1951554"}, {"source": "security@mozilla.org", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2025-3608"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-25/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Race condition in nsHttpTransaction could lead to memory corruption", "id": "2359752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359752"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-364", "details": ["A race condition existed in nsHttpTransaction that could have been exploited to cause memory corruption, potentially leading to an exploitable condition. This vulnerability affects Firefox < 137.0.2.", "A flaw was found in Firefox. The Mozilla Foundation's Security Advisory: A race condition exists in nsHttpTransaction that can be exploited to cause memory corruption, leading to an exploitable condition."], "name": "CVE-2025-3608", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-15T12:57:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3608\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3608\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1951554\nhttps://www.mozilla.org/security/advisories/mfsa2025-25/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-20T20:35:24.471492+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox to version 137.0.2 or later to eliminate the race condition", "Configure security settings to limit untrusted scripts and mixed content, reducing the chance of malicious HTTP traffic triggering the flaw", "Enable browser policies that restrict extensions from performing heavy HTTP operations unless explicitly trusted"], "summary": {"action": "Immediate patch", "impact": "Memory corruption potentially leading to browsers crashing or data corruption"}, "threat_synthesis": {"affected_systems": "Any Mozilla Firefox installation using a version earlier than 137.0.2 is susceptible. Versions 137.0.2 and later include the fix that removes the flawed synchronization.", "description_and_impact": "The vulnerability is a race condition in nsHttpTransaction, a component that handles HTTP requests in the browser. The flaw allows concurrent transactions to interfere with each other, corrupting the memory region that stores response data. This memory corruption can result in unexpected application behavior, including crashes or the corruption of data stored in the browser. The description does not confirm arbitrary code execution, so the impact is limited to instability and potential data integrity issues.", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity. With an EPSS score of less than 1%, the probability of exploitation in the wild is low, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is browser\u2011based and requires an attacker to deliver malicious web content that triggers the race condition, as inferred from the requirement of concurrent HTTP transactions."}}}}, "created": "2026-04-20T20:45:16.932142+00:00", "updated": "2026-04-20T20:45:16.932153+00:00", "vendors": []}