Mozilla has released security updates to address two critical security flaws in its Firefox browser that could be potentially exploited to access sensitive data or achieve code execution.
The vulnerabilities, both of which were exploited as a zero-day at Pwn2Own Berlin, are listed below –
- CVE-2025-4918 – An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perform read or write on a JavaScript Promise object
- CVE-2025-4919 – An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes
In other words, successful exploitation of either of the flaws could permit an adversary to achieve out-of-bounds read or write, which could then be abused to access otherwise sensitive information or result in memory corruption that could pave the way for code execution.
The vulnerabilities affect the following versions of the Firefox browser –
- All versions of Firefox before 138.0.4
- All versions of Firefox Extended Support Release (ESR) before 128.10.1
- All versions of Firefox ESR before 115.23.1
Edouard Bochin and Tao Yan from Palo Alto Networks have been credited with finding and reporting CVE-2025-4918. The discovery of CVE-2025-4919 has been credited to Manfred Paul.
It’s worth noting that both shortcomings were demonstrated at the Pwn2Own Berlin hacking contest last week for which they were awarded $50,000 each.
With web browsers continuing to be an attractive vector for malware delivery, users are advised to update their instances to the latest version to safeguard against potential threats.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Leave feedback about this