FireFox

Security Advisory

Mozilla Firefox Releases 145 Security Updates, 16 High-Severity Vulnerabilities across multiple Firefox versions & Platforms

Summary : Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components allowing arbitrary code execution.

The Mozilla Firefox advisory details reveal that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks. The vulnerability landscape reveals concerning patterns in critical components where WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.

OEM Mozilla 
Severity High 
Date of Announcement 2025-11-11 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Vulnerability Name CVE ID Product Affected Severity 
Graphics Race Condition Enabling Remote Code Execution CVE-2025-13012 Firefox High 
WebAssembly Boundary Error RCE CVE-2025-13016 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13021 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13022 Firefox High 
WebGPU Sandbox Escape via Boundary Flaw CVE-2025-13023 Firefox High 
JavaScript Engine JIT Miscompilation RCE CVE-2025-13024 Firefox High 
WebGPU Boundary Error Leading to Remote Code Execution CVE-2025-13025 Firefox High 
WebGPU Sandbox Escape and Code Execution CVE-2025-13026 Firefox High 
Memory Safety Bugs Allowing Arbitrary Code Execution CVE-2025-13027 Firefox, Thunderbird High 

Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components.

The patched vulnerabilities include memory safety bugs, boundary errors, race conditions, and sandbox escapes that could allow remote code execution (RCE), privilege escalation or data exposure. Although no active exploitation has been reported. Users and administrators should upgrade immediately to prevent exploitation and maintain browser security integrity. 

Technical Summary 

Memory corruption and sandbox escape issues could allow attackers to run malicious code or bypass.

Firefox’s isolation controls, leading to full system compromise. WebRTC and multimedia use-after-free bugs further increase the risk of crashing or leaking live data.

Though no exploitation has been detected, users and enterprises should update immediately to reduce exposure to emerging browser-based threats. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-13012 Graphics Subsystem Race condition vulnerability leads to system crash or remote execution. Remote Code Execution 
CVE-2025-13016 JavaScript: WebAssembly Incorrect memory boundary validation allows code execution through crafted scripts. Remote Code Execution 
CVE-2025-13021 Graphics: WebGPU Boundary condition errors may cause memory corruption and remote code execution.  
Remote Code Execution  
CVE-2025-13022 Graphics: WebGPU Boundary error in WebGPU rendering pipeline allowing memory corruption Remote Code Execution 
CVE-2025-13023 Graphics: WebGPU Sandbox escape via boundary flaw enabling code execution outside browser process. Sandbox Escape, RCE 
CVE-2025-13024 JavaScript Engine: JIT JIT miscompilation allows stealthy remote code execution within browser context. Remote Code Execution 
CVE-2025-13025 Graphics: WebGPU Improper memory boundary control in WebGPU leads to RCE. Remote Code Execution 
CVE-2025-13026 Graphics: WebGPU Sandbox escape enabling remote code execution beyond browser sandbox. Sandbox Escape, RCE 
CVE-2025-13027 Firefox / Thunderbird Memory safety errors across multiple components allow arbitrary code execution. Remote Code Execution 

Source: Microsoft, Cybersecurity News 

In addition to several high severity vulnerabilities, the update also addresses several other Medium and Low severity vulnerabilities across browser subsystems – 

  • CVE-2025-13017: DOM Notifications Origin Bypass – Same-origin policy bypass may expose user data or notifications to untrusted sites. (Medium) 
  • CVE-2025-13018: DOM Security Mitigation Bypass – Allows limited circumvention of built-in browser security controls. (Medium) 
  • CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 
  • CVE-2025-13019: DOM Workers Origin Bypass – May expose cross-origin content or enable script injection. (Medium) 
  • CVE-2025-13013: DOM Core/HTML Mitigation Bypass – Allows controlled bypass of HTML sanitization in certain contexts. (Medium) 
  • CVE-2025-13014: Audio/Video Use-After-Free – Memory mismanagement issue that could leak multimedia data or crash browser. (Medium)  
  • CVE-2025-13015: Firefox UI Spoofing – Interface rendering flaw may allow deceptive UI elements. (Low) 

Recommendations: 

  • Update all Firefox to version 145 immediately to mitigate the vulnerabilities.  

Here are some recommendations below  

  • Enable automatic browser updates across all systems. 
  • Perform vulnerability scans to ensure no outdated browser versions remain. 
  • Restrict use of WebGPU or WebAssembly APIs in enterprise environments unless essential. 
  • Educate employees about risks from phishing, drive-by downloads and malicious extensions. 

Conclusion: 
The Firefox 145 update is a critical security release addressing sixteen vulnerabilities across graphics, WebGPU, JavaScript engine, DOM, and WebRTC components.

Immediate patching and adherence to strong security hygiene are essential to prevent remote code execution, sandbox escapes, and data leaks. Timely remediation ensures operational continuity and protection of both individual and enterprise users against evolving exploitation techniques targeting browser flaws. 

Improving browsing behavior significantly reduces risk exposure of users. Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.

References

Security Advisory

Critical Firefox 0-Day Vulnerabilities Exploited at Pwn2Own 2025 – Immediate Update Required

Summary: Mozilla Patches Two Critical Zero-Day Vulnerabilities In Firefox.

The Two critical zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) have been discovered in Mozilla Firefox, allowing attackers to execute malicious code through out-of-bounds memory manipulation in the JavaScript engine.

OEMMozilla
SeverityHigh
CVSS Score8.8
CVEsCVE-2025-4918, CVE-2025-4919
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

Mozilla has released emergency security updates to address the issues.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​ JavaScript Promise OOB Access  CVE-2025-4918Firefox  High  Firefox 138.0.4, ESR 128.10.1, 115.23.1
Array Index Confusion  CVE-2025-4919Firefox  High  Firefox 138.0.4, ESR 128.10.1, 115.23.1

Technical Summary

The two vulnerabilities lie within the JavaScript engine of Mozilla Firefox. CVE-2025-4918 arises from improper handling of JavaScript Promise objects, leading to out-of-bounds memory access. CVE-2025-4919 involves an integer overflow during array index calculations, resulting in memory corruption.

Both vulnerabilities can be exploited by tricking users into visiting a malicious website, allowing attackers to gain code execution capabilities within the browser.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-4918  Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1Improper memory boundary handling in JavaScript Promise resolution leads to out-of-bounds read/write    Remote Code Execution
    CVE-2025-4919    Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1Array index miscalculation during optimization routines allows memory corruption via out-of-bounds access    Remote Code Execution

Remediation:

  • Update Firefox: Mozilla has released patched versions that fix these vulnerabilities. Users and administrators should immediately update to the latest versions:
  • Firefox 138.0.4 or later
  • Firefox ESR 128.10.1 or later
  • Firefox ESR 115.23.1 or later

Recommendations:

  • Temporary Workarounds (if immediate update is not possible):
  • Avoid visiting unfamiliar or suspicious websites.
  • Use browser security extensions to restrict or disable JavaScript execution.
  • Consider using application whitelisting or sandboxing to restrict browser-based activities.
  • Enterprise Recommendation:
  • Deploy Firefox updates across managed environments using enterprise software deployment tools.
  • Monitor threat intelligence feeds and endpoint protection logs for any signs of exploitation

Conclusion:
The vulnerabilities CVE-2025-4918 and CVE-2025-4919 pose critical risks as they can be exploited for remote code execution via malicious JavaScript. These flaws were responsibly disclosed and demonstrated at Pwn2Own 2025, a leading security research competition held in Berlin.

  • CVE-2025-4918 was discovered and demonstrated by Edouard Bochin and Tao Yan from Palo Alto Networks, involving an out-of-bounds write in the handling of JavaScript Promise objects.
  • CVE-2025-4919 was discovered by security researcher Manfred Paul, who exploited a memory corruption issue through array index manipulation.

Both researchers participated through Trend Micro’s Zero Day Initiative (ZDI), and their demonstrations earned top scores and prizes. Mozilla has responded swiftly with fixes, and users are strongly urged to update immediately.

Staying current with software patches remains a vital defense against modern web-based threats.

The updates, which cover Firefox on both desktop and Android platforms, as well as two Extended Support Releases (ESR), were issued just hours after the event concluded on Saturday—immediately following the public demonstration of the second vulnerability.

References:

Scroll to top