Mozilla Urgently Patches Firefox Pwn2Own 2025 Flaws

Home/Exploitation, Internet Security, Regulation, Security Advisory, Security Update, Tips, vulnerability/Mozilla Urgently Patches Firefox Pwn2Own 2025 Flaws

Mozilla Urgently Patches Firefox Pwn2Own 2025 Flaws

At this year’s Pwn2Own Berlin, researchers revealed two new zero-day flaws in Mozilla Firefox, targeting its content process.

These bugs—CVE-2025-4918 and CVE-2025-4919—were found in Firefox’s JavaScript engine. They allowed attackers to access memory out of bounds, which could lead to remote code execution or data leaks.

The good news? Neither exploit was able to break out of Firefox’s sandbox, a key layer of defense that stops attackers from fully taking over your device.

Mozilla acted fast, releasing security updates for:

  • Firefox 138.0.4
  • Firefox ESR 128.10.1
  • Firefox ESR 115.23.1
  • Firefox for Android

Researchers found two serious security flaws in Firefox’s JavaScript engine, SpiderMonkey, that could let attackers run code on your device if you visit a malicious site.

All about the Vulnerability

CVE-2025-4918
This bug happens when Firefox mishandles memory while working with JavaScript Promises. Hackers could use this to read or write memory they shouldn’t, possibly taking control of the system.
Discovered by Edouard Bochin and Tao Yan (Palo Alto Networks).

CVE-2025-4919
This issue involves an integer overflow during array index calculations. It can lead to memory corruption and could also allow attackers to run code.
Found by Manfred Paul.

Simple Example of the Bug

let arr = [1, 2, 3];
let idx = calculateIndex(); // attacker controls this value
arr[idx] = 42; // writing outside the array causes memory issues

Summary of the Bugs

CVE IDAffected VersionsWhat Went WrongRisk Level
CVE-2025-4918<138.0.4, ESR <128.10.1, <115.23.1Bug in Promise handling caused memory corruptionRemote Code Execution
CVE-2025-4919<138.0.4, ESR <128.10.1, <115.23.1Array index overflow corrupted memoryRemote Code Execution

These bugs only work if a user visits a malicious website, but Firefox’s sandboxing helped limit the damage. Even so, update your browser immediately to stay safe.

Mozilla’s Fast Security Fix

Mozilla quickly fixed two Firefox zero-day bugs found at Pwn2Own 2025. Global teams developed and released patches the same day, showing their strong focus on user safety.

The exploits didn’t break out of Firefox’s sandbox, thanks to recent security improvements. Mozilla says these updates lower the risk of full system attacks.

Users should update to Firefox 138.0.4, ESR 128.10.1, or ESR 115.23.1 right away.
Admins can scan systems using Qualys QIDs 383252 and 383254.

Mozilla continues to improve browser security and welcomes researchers to join their bug bounty program.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!