Do Son 
Mozilla has released emergency security updates for Firefox—just hours after the conclusion of the Pwn2Own Berlin 2025 hacking competition. The urgent response was prompted by the discovery and live demonstration of two critical zero-day vulnerabilities affecting the browser.
The first flaw, CVE-2025-4918 (CVSS score: 7.5), targets Firefox’s JavaScript engine and involves an out-of-bounds read and write condition when handling Promise objects. The vulnerability was uncovered by researchers from Palo Alto Networks, who were awarded $50,000 for their successful exploit demonstration.
The second vulnerability, CVE-2025-4919 (CVSS score: 8.8), also stems from JavaScript—specifically, improper array index handling. Researcher Manfred Paul demonstrated how mismanagement of array indices could allow attackers to read and write data beyond the permissible bounds of memory. He likewise received $50,000 for his presentation.
Both vulnerabilities have been deemed critical due to their potential to compromise process memory. However, according to Mozilla, neither researcher was able to escape the browser’s sandbox environment—a typical next step in crafting a complete attack chain. Developers attributed this resilience to recent architectural enhancements that have significantly fortified Firefox’s sandboxing mechanisms. These improvements, they noted, have neutralized an entire class of attacks that had proven successful just a year prior.
Although there is no evidence yet of these vulnerabilities being exploited in the wild, their public disclosure at a high-profile event could spur attempts at weaponization in the near future. In response, Mozilla swiftly mobilized a global engineering team, which prepared, tested, and released patches for all supported versions of Firefox within hours—across both desktop and Android platforms.
The security updates are now available for Firefox 138.0.4, as well as extended support releases ESR 128.10.1 and ESR 115.23.1. Users are strongly urged to install these updates without delay.
Pwn2Own Berlin 2025 concluded on May 17, with total prize money exceeding $1 million. The coveted Master of Pwn title was awarded to the STAR Labs SG team.
Donate