Summary: Mozilla Patches Two Critical Zero-Day Vulnerabilities In Firefox.

The Two critical zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) have been discovered in Mozilla Firefox, allowing attackers to execute malicious code through out-of-bounds memory manipulation in the JavaScript engine.

OEM	Mozilla
Severity	High
CVSS Score	8.8
CVEs	CVE-2025-4918, CVE-2025-4919
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Mozilla has released emergency security updates to address the issues.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
​ JavaScript Promise OOB Access	CVE-2025-4918	Firefox	High	Firefox 138.0.4, ESR 128.10.1, 115.23.1
Array Index Confusion	CVE-2025-4919	Firefox	High	Firefox 138.0.4, ESR 128.10.1, 115.23.1

Technical Summary

The two vulnerabilities lie within the JavaScript engine of Mozilla Firefox. CVE-2025-4918 arises from improper handling of JavaScript Promise objects, leading to out-of-bounds memory access. CVE-2025-4919 involves an integer overflow during array index calculations, resulting in memory corruption.

Both vulnerabilities can be exploited by tricking users into visiting a malicious website, allowing attackers to gain code execution capabilities within the browser.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-4918	Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1	Improper memory boundary handling in JavaScript Promise resolution leads to out-of-bounds read/write	Remote Code Execution
CVE-2025-4919	Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1	Array index miscalculation during optimization routines allows memory corruption via out-of-bounds access	Remote Code Execution

Remediation:

• Update Firefox: Mozilla has released patched versions that fix these vulnerabilities. Users and administrators should immediately update to the latest versions:
• Firefox 138.0.4 or later
• Firefox ESR 128.10.1 or later
• Firefox ESR 115.23.1 or later

Recommendations:

• Temporary Workarounds (if immediate update is not possible):
• Avoid visiting unfamiliar or suspicious websites.
• Use browser security extensions to restrict or disable JavaScript execution.
• Consider using application whitelisting or sandboxing to restrict browser-based activities.
• Enterprise Recommendation:
• Deploy Firefox updates across managed environments using enterprise software deployment tools.
• Monitor threat intelligence feeds and endpoint protection logs for any signs of exploitation

Conclusion:
The vulnerabilities CVE-2025-4918 and CVE-2025-4919 pose critical risks as they can be exploited for remote code execution via malicious JavaScript. These flaws were responsibly disclosed and demonstrated at Pwn2Own 2025, a leading security research competition held in Berlin.

• CVE-2025-4918 was discovered and demonstrated by Edouard Bochin and Tao Yan from Palo Alto Networks, involving an out-of-bounds write in the handling of JavaScript Promise objects.
• CVE-2025-4919 was discovered by security researcher Manfred Paul, who exploited a memory corruption issue through array index manipulation.

Both researchers participated through Trend Micro’s Zero Day Initiative (ZDI), and their demonstrations earned top scores and prizes. Mozilla has responded swiftly with fixes, and users are strongly urged to update immediately.

Staying current with software patches remains a vital defense against modern web-based threats.

The updates, which cover Firefox on both desktop and Android platforms, as well as two Extended Support Releases (ESR), were issued just hours after the event concluded on Saturday—immediately following the public demonstration of the second vulnerability.

References:

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-36/
• https://www.zerodayinitiative.com/blog/2025/5/16/pwn2own-berlin-2025-day-two-results
•  https://gbhackers.com/critical-firefox-0-day-flaws/