Pierluigi Paganini
May 19, 2025
Mozilla released security updates to fix two critical vulnerabilities in the Firefox browser that could be potentially exploited to access sensitive data or achieve code execution.
“This week at the security hacking competition pwn2own, security researchers demonstrated two new content-process exploits against Firefox. Neither of the attacks managed to break out of our sandbox, which is required to gain control over the user’s system.” reads a post published on the Mozilla Security Blog. “Out of abundance of caution, we just released new Firefox versions in response to these attacks – all within the same day of the second exploit announcement. The updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible.”
Both vulnerabilities were demonstrated as zero-day flaws during the recent Pwn2Own Berlin 2025 hacking contest.
Below are the descriptions of the two vulnerabilities:
CVE-2025-4918 is an out-of-bounds access when resolving Ppomise objects.
“An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object.” reads the advisory.
The vulnerability was discovered by Edouard Bochin and Tao Yan from Palo Alto Networks working with Trend Micro’s Zero Day Initiative.
CVE-2025-4919 is an out-of-bounds access when optimizing linear sums.
“An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes.” reads the advisory.
The vulnerability was discovered by Manfred Paul working with Trend Micro’s Zero Day Initiative.
The vulnerabilities affect all versions of Firefox before 138.0.4 (including Firefox for Android), all versions of Firefox Extended Support Release (ESR) before 128.10.1, and all versions of Firefox ESR before 115.23.1.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Firefox)
