Mozilla has patched two critical Firefox vulnerabilities that could be exploited to access sensitive data or execute arbitrary code.
The flaws were demonstrated as zero-day exploits during the Pwn2Own Berlin 2025 hacking contest. While the attacks did not escape Firefox’s sandbox, Mozilla released emergency updates out of caution. Users are urged to update to the latest versions:
- Firefox 138.0.4
- Firefox ESR 128.10.1
- Firefox ESR 115.23.1
- Firefox for Android
Details of the vulnerabilities:
- CVE-2025-4918: An out-of-bounds read/write issue when handling JavaScript Promise objects. Discovered by Edouard Bochin and Tao Yan of Palo Alto Networks via the Zero Day Initiative.
- CVE-2025-4919: An out-of-bounds access vulnerability caused by array index confusion during JavaScript optimization. Discovered by Manfred Paul through the Zero Day Initiative.
All Firefox versions prior to the listed updates are affected, including Firefox for Android. Mozilla advises all users and administrators to update immediately.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
