Mozilla Quickly Fixes Firefox Vulnerabilities from Pwn2Own 2025 with Urgent Patches
At this year’s Pwn2Own Berlin, security researchers successfully demonstrated two new zero-day exploits against Mozilla Firefox, targeting the browser’s content process.
The vulnerabilities—CVE-2025-4918 and CVE-2025-4919—were both found in Firefox’s JavaScript engine and allowed out-of-bounds memory access, raising the risk of remote code execution and sensitive data exposure.
However, neither exploit succeeded in escaping Firefox’s sandbox, a critical security boundary designed to prevent attackers from gaining full control over the user’s system.
Mozilla responded within hours, releasing patched versions across all platforms: Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, and Firefox for Android.
Users and administrators are strongly advised to update immediately, as these vulnerabilities were actively exploited during the competition and publicly disclosed.
The Vulnerabilities and Their Impact
Both vulnerabilities exploited weaknesses in the SpiderMonkey JavaScript engine:
- CVE-2025-4918: This flaw involved improper memory boundary handling when resolving JavaScript
Promiseobjects. Attackers could perform out-of-bounds reads or writes, potentially leading to memory corruption or arbitrary code execution. The vulnerability was discovered by Edouard Bochin and Tao Yan from Palo Alto Networks. - CVE-2025-4919: This bug stemmed from an integer overflow during array index calculations in optimization routines, resulting in out-of-bounds access and memory corruption. The vulnerability was identified by Manfred Paul.
Technical Example: Out-of-Bounds Access in JavaScript
javascript// Vulnerable pattern (simplified)
let arr = [1, 2, 3];
let idx = calculateIndex(); // Malicious input manipulates idx
arr[idx] = 42; // If idx is out-of-bounds, memory corruption may occur
Table: Summary of Firefox Zero-Day Vulnerabilities
| CVE ID | Affected Versions | Vulnerability Details | Impact |
|---|---|---|---|
| CVE-2025-4918 | Out-of-bounds access in Promise resolution (JavaScript engine) | Remote Code Execution | |
| CVE-2025-4919 | Array index miscalculation in optimization, leading to memory corruption | Remote Code Execution |
Both vulnerabilities required the victim to visit a malicious webpage, highlighting the importance of browser process isolation and sandboxing in mitigating real-world impact.
Mozilla’s Security Response
Mozilla’s incident response was swift and coordinated, involving global teams across engineering, QA, and release management.
Patches were developed, tested, and deployed on the same day as the second exploit’s announcement, continuing Mozilla’s tradition of rapid mitigation.
Last year, the team patched a critical bug within 21 hours of disclosure.
Crucially, neither exploit managed to escape the Firefox sandbox, a testament to recent architectural improvements.
Mozilla confirmed that these enhancements have significantly reduced the risk of full system compromise from browser exploits, strengthening user protection.
Mozilla’s security team encourages all users to update immediately and remains committed to the continuous hardening of Firefox’s security architecture.
The company also invites security researchers to participate in its bug bounty program and follow ongoing technical discussions on the Attack & Defense – Firefox Security Internals for Engineers, Researchers, and Bounty Hunters blog.
Remediation:
- Update to Firefox 138.0.4, ESR 128.10.1, or ESR 115.23.1 immediately.
- Administrators can use Qualys QIDs 383252 and 383254 to detect vulnerable assets.
Mozilla’s rapid, transparent response at Pwn2Own 2025 reinforces its reputation for prioritizing user security and sets a high standard for incident response in the browser industry