Mozilla has officially released Firefox 137, addressing multiple high-severity security vulnerabilities that could potentially allow remote attackers to execute arbitrary code, trigger denial of service conditions, or elevate privileges on affected systems.
This critical security update, announced on April 1, 2025, fixes several memory safety bugs and use-after-free vulnerabilities that posed significant risks to users of previous versions.
The most concerning vulnerability patched in this release is CVE-2025-3028, discovered by Ivan Fratric of Google Project Zero.
This high-impact use-after-free vulnerability could be triggered when JavaScript code runs while transforming a document with the XSLTProcessor.
If exploited, this flaw could potentially allow attackers to execute arbitrary code on the victim’s system.
The flaw affected Firefox versions prior to 137, Firefox ESR versions below 115.22 and 128.9, and Thunderbird versions below 137 and 128.9. Mozilla resolved it in Firefox 137 through improved memory management during XSLT processing.
Mozilla also addressed CVE-2025-3030, a critical memory safety bug present in Firefox 136 and other Mozilla products.
According to security researchers Sylvestre Ledru, Paul Bone, and the Mozilla Fuzzing Team, these bugs showed evidence of memory corruption and could potentially be exploited to run arbitrary code with enough effort.
Patched in Firefox 137 and related ESR/Thunderbird updates, the fixes included enhanced memory validation and sanitization across the codebase.
Reported by Andrew McCreight and the Mozilla Fuzzing Team, specifically targeted memory safety issues in Firefox 136 and Thunderbird 136.
These bugs, concentrated in the Just-In-Time (JIT) compiler and email processing modules, showed clear evidence of memory corruption.
The fixes in Firefox 137 and Thunderbird 137 included hardening the JIT compiler’s security checks and addressing race conditions in memory handling.
The update also remedies CVE-2025-3035, which caused Firefox to leak document titles into chat prompts in versions prior to 137.
Another notable fix included CVE-2025-3029, a moderate-impact vulnerability that involved URL bar spoofing using non-BMP Unicode characters, where a crafted URL could hide the true origin of a webpage, enabling potential spoofing attacks.
Furthermore, CVE-2025-3031 fixed an issue where attackers could potentially read 32 bits of values spilled onto the stack in JIT-compiled functions.
Security researchers identified CVE-2025-3032, a vulnerability where file descriptors from the fork server could leak to web content processes, potentially allowing for privilege escalation attacks.
These vulnerabilities collectively posed serious security risks, including denial of service, elevation of privilege, remote code execution, spoofing, and information disclosure.
The vulnerabilities fixed in Firefox 137 affect all earlier versions of the browser. Mozilla has simultaneously released updates for other products in its ecosystem, including Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird ESR 128.9.
Security experts strongly recommend that all Firefox users update immediately to mitigate the risk of exploitation.
Organizations utilizing Firefox in enterprise environments should prioritize this update, especially given the high CVSS score of 9.8 assigned to some of these vulnerabilities, indicating critical severity.
These memory safety bugs showed clear evidence of corruption patterns that malicious actors could potentially leverage for arbitrary code execution.
Users can update Firefox by opening the browser’s menu, selecting “Help,” and clicking on “About Firefox,” which will automatically check for and install available updates.
For those unable to update immediately, security professionals recommend temporarily switching to alternative browsers until the update can be applied, as no reliable workarounds exist for these vulnerabilities.
The Firefox 137 release demonstrates Mozilla’s ongoing commitment to addressing security issues promptly and transparently. Users are encouraged to enable automatic updates for all Mozilla products to ensure they receive security patches as soon as they become available.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
A critical cross-site scripting (XSS) vulnerability has been discovered in the popular LiteSpeed Cache plugin…
A new open-source tool called HikvisionExploiter has emerged, designed to automate attacks on vulnerable Hikvision…
The npm ecosystem faces a sophisticated new threat as ten malicious packages have emerged, each…
A public exploit code demonstrating how attackers could exploit CVE-2025-40778, a critical vulnerability in BIND…
Microsoft Exchange servers in Germany are still running without security updates, just weeks after the…
The threat landscape continues to evolve as Gunra ransomware emerged in April 2025, establishing itself…