CVE-2025-1934

Root

Cause Analysis

CVE-2025-1934 stems from a race condition in how the JavaScript engine handles RegExp bailout processing. The bug allows an attacker to interrupt this processing and execute additional JavaScript code, which can in turn trigger garbage collection at an unexpected time. This violates the engine's internal invariants, leading to an assertion failure as shown in the attached crash report [1]. The crash occurs in js/src/vm/Interpreter.cpp at line 463, with the assertion !cx->suppressGC [1].

Exploitation

Exploitation requires the ability to execute arbitrary JavaScript in the browser or Thunderbird context. A crafted script can force a RegExp bailout and, through a carefully designed interrupt callback, trigger garbage collection during the bailout path [1]. The included test case demonstrates the technique using setInterruptCallback and repeated RegExp matching [1]. The vulnerability can be triggered without any additional user interaction beyond visiting a malicious page or opening a crafted email with scripting enabled [2][3].

Impact

Successful exploitation can cause a denial of service via a browser crash. Under certain conditions, an attacker might be able to achieve memory corruption, potentially leading to arbitrary code execution. Mozilla classified the impact as "high" [2]. In Thunderbird, the risk is lower because scripting is disabled by default when reading mail, but it could be exploited in browser-like contexts [3][4].

Mitigation

Mozilla has fixed this vulnerability in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8 [2][3][4]. Users are strongly advised to update to these versions or later. No workarounds are available.