Mozilla has released emergency security updates for Firefox to address two critical zero-day vulnerabilities that were recently demonstrated at the Pwn2Own hacking competition in Berlin. These vulnerabilities have already been exploited in real-world attacks, making this update particularly urgent for all Firefox users.
The Critical Vulnerabilities
The two security flaws, tracked as CVE-2025-4918 and CVE-2025-4919, are both classified as critical out-of-bounds access vulnerabilities in Firefox's JavaScript engine. The first vulnerability, discovered by Edouard Bochin and Tao Yan from Palo Alto Networks, allows attackers to perform an out-of-bounds read or write on a JavaScript Promise object. The second flaw, identified by Manfred Paul, enables similar out-of-bounds access when optimizing linear sums, potentially allowing attackers to manipulate JavaScript objects by confusing array index sizes.
Vulnerability Details:
- CVE-2025-4918: Out-of-bounds access flaw in Firefox's JavaScript engine affecting JavaScript Promise objects
- CVE-2025-4919: Out-of-bounds access when optimizing linear sums
- Both vulnerabilities rated as "Critical" by Mozilla
- Each vulnerability discovery awarded $50,000 at Pwn2Own Berlin
Real-World Implications
These vulnerabilities are particularly concerning because they require minimal user interaction. Attackers can potentially execute malicious code simply by tricking users into visiting compromised websites. Both flaws were demonstrated live at the Pwn2Own Berlin conference, with each researcher receiving $50,000 for their discoveries. The public nature of these demonstrations increases the risk of widespread exploitation, as the technical details are now available to potential attackers.
Affected Versions
The security update addresses vulnerabilities in multiple Firefox versions including the standard Firefox browser (versions before 138.0.4), Firefox Extended Support Release (ESR) versions before 128.10.1 and 115.23.1, and Firefox for Android. Mozilla has moved quickly to patch these issues after they were revealed at the hacking competition.
Affected Firefox Versions:
- Firefox before 138.0.4
- Firefox Extended Support Release (ESR) before 128.10.1
- Firefox ESR before 115.23.1
- Firefox for Android
Silver Lining in Firefox's Security Architecture
Despite the severity of these flaws, Mozilla noted that neither vulnerability managed to break out of Firefox's security sandbox. This is an important security boundary that would need to be breached for attackers to gain complete control over a user's device. This represents an improvement over previous Pwn2Own competitions where Firefox's sandbox was successfully compromised.
How to Update
Users are strongly advised to update their Firefox browsers immediately. The update can be accessed through the Firefox menu by selecting Help and then About Firefox on Windows, or by selecting About Firefox directly from the Firefox menu on macOS. The browser will automatically check for updates and prompt users to restart after the update is installed.
Broader Context of Browser Security
This Firefox update comes amid a series of emergency patches from major browser developers. Apple recently addressed two exploited vulnerabilities, and Google issued critical patches for Chrome, including a high-severity flaw (CVE-2025-4664) that allowed full account takeovers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the Chrome vulnerability was being actively exploited in attacks.
The Importance of Prompt Updates
With browser-based attacks becoming increasingly sophisticated, keeping software updated is more critical than ever. These zero-day vulnerabilities highlight the ongoing cat-and-mouse game between security researchers and malicious actors. By promptly installing security updates, users can significantly reduce their risk of falling victim to these exploits.