Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
AnalysisAI
Zen Browser's auto-update mechanism delivered unsigned code to all users due to deliberately removed MAR signature verification inherited from Firefox. The browser shipped with Mozilla's updater binary stripped of all cryptographic verification code and served update packages containing zero cryptographic signatures. Compromise of the update server or GitHub Actions pipeline allowed arbitrary code execution on all Zen installations without cryptographic chain-of-trust protection. Version 1.19.9b restores MAR signing with RSA-4096 keys and certificate verification in the updater binary.
Technical ContextAI
Mozilla Application Resource (MAR) files are Firefox's update package format, cryptographically signed using RSA keys embedded in the updater binary. Firefox's MAR verification uses NSS (Network Security Services) to validate signatures against public keys compiled into org.mozilla.updater. Zen Browser forked Firefox's codebase but removed all MAR signature verification code paths and shipped updates without signing infrastructure. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature) - the updater accepted any MAR file from the update server without cryptographic validation. The fix implements a complete signing pipeline: OpenSSL-generated RSA-4096 keypair, self-signed X.509 certificate for PKCS#12 bundling, public key (SPKI DER format) embedded in release_primary.der and release_secondary.der within the updater binary, NSS database initialization for signature operations, and GitHub Actions secrets (ZEN_MAR_SIGNING_PASSWORD, ZEN_SIGNING_CERT_PEM_BASE64, ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64) protecting the signing key. The build system now calls signmar utility during CI/CD to cryptographically sign all MAR files before distribution, and the updater verifies signatures against embedded public keys before applying updates.
RemediationAI
Update to Zen Browser 1.19.9b or later immediately. The fix commit (270db6d6713d2c6c14d9df0b4bc7662843d3d54e at https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e) restores MAR signing with RSA-4096 keys, implements signature verification in the updater binary (--enable-verify-mar in mozconfig), removes the --enable-unverified-updates flag, and integrates mar_sign.sh into the build pipeline. Users on vulnerable versions should verify the update was delivered via the official channel and consider the security posture of any system where Zen Browser auto-updated prior to 1.19.9b (treat as potentially compromised if the update server was ever untrusted). No workaround exists for versions prior to 1.19.9b - the updater binary itself lacks verification code, so disabling auto-update only prevents future compromise but does not validate already-applied updates. If unable to update immediately, uninstall Zen Browser and use an alternative browser until 1.19.9b can be installed from the official GitHub release page. Organizations should audit systems for Zen Browser installations and force-upgrade via deployment tools rather than relying on the insecure auto-update channel.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29119