Mozilla has officially released Firefox 137, addressing multiple high-severity security vulnerabilities that could potentially allow remote attackers to execute arbitrary code, trigger denial of service conditions, or elevate privileges on affected systems.
This critical security update, announced on April 1, 2025, fixes several memory safety bugs and use-after-free vulnerabilities that posed significant risks to users of previous versions.
High-Security FixesCVE-2025-3028 The most concerning vulnerability patched in this release is CVE-2025-3028, discovered by Ivan Fratric of Google Project Zero.
This high-impact use-after-free vulnerability could be triggered when JavaScript code runs while transforming a document with the XSLTProcessor.
If exploited, this flaw could potentially allow attackers to execute arbitrary code on the victimβs system.
The flaw affected Firefox versions prior to 137, Firefox ESR versions below 115.22 and 128.9, and Thunderbird versions below 137 and 128.9. Mozilla resolved it in Firefox 137 through improved memory management during XSLT processing.
CVE-2025-3030Mozilla also addressed CVE-2025-3030, a critical memory safety bug present in Firefox 136 and other Mozilla products.
According to security researchers Sylvestre Ledru, Paul Bone, and the Mozilla Fuzzing Team, these bugs showed evidence of memory corruption and could potentially be exploited to run arbitrary code with enough effort.
Patched in Firefox 137 and related ESR/Thunderbird updates, the fixes included enhanced memory validation and sanitization across the codebase.
CVE-2025-3034Reported by Andrew McCreight and the Mozilla Fuzzing Team, specifically targeted memory safety issues in Firefox 136 and Thunderbird 136.
These bugs, concentrated in the Just-In-Time (JIT) compiler and email processing modules, showed clear evidence of memory corruption.
The fixes in Firefox 137 and Thunderbird 137 included hardening the JIT compilerβs security checks and addressing race conditions in memory handling.
Additional Vulnerabilities AddressedThe update also remedies CVE-2025-3035, which caused Firefox to leak document titles into chat prompts in versions prior to 137.
Another notable fix included CVE-2025-3029, a moderate-impact vulnerability that involved URL bar spoofing using non-BMP Unicode characters, where a crafted URL could hide the true origin of a webpage, enabling potential spoofing attacks.
Furthermore, CVE-2025-3031 fixed an issue where attackers could potentially read 32 bits of values spilled onto the stack in JIT-compiled functions.
Security researchers identified CVE-2025-3032, a vulnerability where file descriptors from the fork server could leak to web content processes, potentially allowing for privilege escalation attacks.
These vulnerabilities collectively posed serious security risks, including denial of service, elevation of privilege, remote code execution, spoofing, and information disclosure.
Impact and RecommendationsThe vulnerabilities fixed in Firefox 137 affect all earlier versions of the browser. Mozilla has simultaneously released updates for other products in its ecosystem, including Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird ESR 128.9.
Security experts strongly recommend that all Firefox users update immediately to mitigate the risk of exploitation.
Organizations utilizing Firefox in enterprise environments should prioritize this update, especially given the high CVSS score of 9.8 assigned to some of these vulnerabilities, indicating critical severity.
These memory safety bugs showed clear evidence of corruption patterns that malicious actors could potentially leverage for arbitrary code execution.
Users can update Firefox by opening the browserβs menu, selecting βHelp,β and clicking on βAbout Firefox,β which will automatically check for and install available updates.
For those unable to update immediately, security professionals recommend temporarily switching to alternative browsers until the update can be applied, as no reliable workarounds exist for these vulnerabilities.
The Firefox 137 release demonstrates Mozillaβs ongoing commitment to addressing security issues promptly and transparently. Users are encouraged to enable automatic updates for all Mozilla products to ensure they receive security patches as soon as they become available.