At this year’s Pwn2Own Berlin, researchers revealed two new zero-day flaws in Mozilla Firefox, targeting its content process.
These bugs—CVE-2025-4918 and CVE-2025-4919—were found in Firefox’s JavaScript engine. They allowed attackers to access memory out of bounds, which could lead to remote code execution or data leaks.
The good news? Neither exploit was able to break out of Firefox’s sandbox, a key layer of defense that stops attackers from fully taking over your device.
Mozilla acted fast, releasing security updates for:
- Firefox 138.0.4
- Firefox ESR 128.10.1
- Firefox ESR 115.23.1
- Firefox for Android
Researchers found two serious security flaws in Firefox’s JavaScript engine, SpiderMonkey, that could let attackers run code on your device if you visit a malicious site.
All about the Vulnerability
CVE-2025-4918
This bug happens when Firefox mishandles memory while working with JavaScript Promises. Hackers could use this to read or write memory they shouldn’t, possibly taking control of the system.
Discovered by Edouard Bochin and Tao Yan (Palo Alto Networks).
CVE-2025-4919
This issue involves an integer overflow during array index calculations. It can lead to memory corruption and could also allow attackers to run code.
Found by Manfred Paul.
Simple Example of the Bug
let arr = [1, 2, 3];
let idx = calculateIndex(); // attacker controls this value
arr[idx] = 42; // writing outside the array causes memory issues
Summary of the Bugs
| CVE ID | Affected Versions | What Went Wrong | Risk Level |
|---|---|---|---|
| CVE-2025-4918 | <138.0.4, ESR <128.10.1, <115.23.1 | Bug in Promise handling caused memory corruption | Remote Code Execution |
| CVE-2025-4919 | <138.0.4, ESR <128.10.1, <115.23.1 | Array index overflow corrupted memory | Remote Code Execution |
These bugs only work if a user visits a malicious website, but Firefox’s sandboxing helped limit the damage. Even so, update your browser immediately to stay safe.
Mozilla’s Fast Security Fix
Mozilla quickly fixed two Firefox zero-day bugs found at Pwn2Own 2025. Global teams developed and released patches the same day, showing their strong focus on user safety.
The exploits didn’t break out of Firefox’s sandbox, thanks to recent security improvements. Mozilla says these updates lower the risk of full system attacks.
Users should update to Firefox 138.0.4, ESR 128.10.1, or ESR 115.23.1 right away.
Admins can scan systems using Qualys QIDs 383252 and 383254.
Mozilla continues to improve browser security and welcomes researchers to join their bug bounty program.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment