Mozilla has announced critical security updates for its Firefox browser, addressing two significant vulnerabilities that could be exploited to access sensitive user data or execute arbitrary code. These security flaws were reportedly demonstrated at the Pwn2Own Berlin hacking contest, highlighting the ongoing challenges faced by web browsers against potential attacks.
The first vulnerability, identified as CVE-2025-4918, pertains to an out-of-bounds access issue when resolving JavaScript Promise objects. This flaw could allow an attacker to conduct unauthorized read or write operations on these objects. Meanwhile, the second vulnerability, CVE-2025-4919, involves out-of-bounds access when optimizing linear sums, which could similarly permit unauthorized access to JavaScript objects by misinterpreting array index sizes.
Both vulnerabilities could lead to serious security breaches, including out-of-bounds read or write capabilities that may compromise otherwise secure information or result in memory corruption, ultimately facilitating code execution. Mozilla strongly recommends that users update their browsers to mitigate the risk posed by these vulnerabilities.
The affected versions include all versions of Firefox prior to 138.0.4, including the Android variant, as well as all Firefox Extended Support Release (ESR) versions before 128.10.1 and 115.23.1. The vulnerabilities were discovered by security researchers Edouard Bochin and Tao Yan from Palo Alto Networks, and Manfred Paul, respectively.
Mozilla confirmed that while both vulnerabilities were exploited during the Pwn2Own event, their attack methods did not breach Mozilla’s sandbox environment, which is crucial for protecting users’ systems. They urged users to act promptly by updating their browsers to the latest versions to protect against these risks. For further details, users can refer to the full advisory on Mozilla’s security site here.
This incident underscores the need for ongoing vigilance in web security, as browsers remain a vital target for malware distribution. For more information on the vulnerabilities and updates, follow Mozilla’s official update here. Stay informed by tracking more updates from security experts and organizations.