Google Releases Exploit Code for Unpatched Chromium Flaws
Chrome Browser Vulnerabilities
Continue ReadingFireFox
Mozilla Firefox Releases 145 Security Updates, 16 High-Severity Vulnerabilities across multiple Firefox versions & Platforms
Summary : Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components allowing arbitrary code execution.
The Mozilla Firefox advisory details reveal that exploiting these vulnerabilities requires attackers to deliver malicious content via compromised websites or through network attacks. The vulnerability landscape reveals concerning patterns in critical components where WebGPU graphics processing emerges as a significant attack surface, with five separate boundary condition flaws identified.
| OEM | Mozilla |
| Severity | High |
| Date of Announcement | 2025-11-11 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Graphics Race Condition Enabling Remote Code Execution | CVE-2025-13012 | Firefox | High |
| WebAssembly Boundary Error RCE | CVE-2025-13016 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13021 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13022 | Firefox | High |
| WebGPU Sandbox Escape via Boundary Flaw | CVE-2025-13023 | Firefox | High |
| JavaScript Engine JIT Miscompilation RCE | CVE-2025-13024 | Firefox | High |
| WebGPU Boundary Error Leading to Remote Code Execution | CVE-2025-13025 | Firefox | High |
| WebGPU Sandbox Escape and Code Execution | CVE-2025-13026 | Firefox | High |
| Memory Safety Bugs Allowing Arbitrary Code Execution | CVE-2025-13027 | Firefox, Thunderbird | High |
Mozilla released the Firefox 145 Security Update on November 11, 2025, addressing 16 vulnerabilities affecting multiple components.
The patched vulnerabilities include memory safety bugs, boundary errors, race conditions, and sandbox escapes that could allow remote code execution (RCE), privilege escalation or data exposure. Although no active exploitation has been reported. Users and administrators should upgrade immediately to prevent exploitation and maintain browser security integrity.
Technical Summary
Memory corruption and sandbox escape issues could allow attackers to run malicious code or bypass.
Firefox’s isolation controls, leading to full system compromise. WebRTC and multimedia use-after-free bugs further increase the risk of crashing or leaking live data.
Though no exploitation has been detected, users and enterprises should update immediately to reduce exposure to emerging browser-based threats.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-13012 | Graphics Subsystem | Race condition vulnerability leads to system crash or remote execution. | Remote Code Execution |
| CVE-2025-13016 | JavaScript: WebAssembly | Incorrect memory boundary validation allows code execution through crafted scripts. | Remote Code Execution |
| CVE-2025-13021 | Graphics: WebGPU | Boundary condition errors may cause memory corruption and remote code execution. | Remote Code Execution |
| CVE-2025-13022 | Graphics: WebGPU | Boundary error in WebGPU rendering pipeline allowing memory corruption | Remote Code Execution |
| CVE-2025-13023 | Graphics: WebGPU | Sandbox escape via boundary flaw enabling code execution outside browser process. | Sandbox Escape, RCE |
| CVE-2025-13024 | JavaScript Engine: JIT | JIT miscompilation allows stealthy remote code execution within browser context. | Remote Code Execution |
| CVE-2025-13025 | Graphics: WebGPU | Improper memory boundary control in WebGPU leads to RCE. | Remote Code Execution |
| CVE-2025-13026 | Graphics: WebGPU | Sandbox escape enabling remote code execution beyond browser sandbox. | Sandbox Escape, RCE |
| CVE-2025-13027 | Firefox / Thunderbird | Memory safety errors across multiple components allow arbitrary code execution. | Remote Code Execution |
Source: Microsoft, Cybersecurity News
In addition to several high severity vulnerabilities, the update also addresses several other Medium and Low severity vulnerabilities across browser subsystems –
- CVE-2025-13017: DOM Notifications Origin Bypass – Same-origin policy bypass may expose user data or notifications to untrusted sites. (Medium)
- CVE-2025-13018: DOM Security Mitigation Bypass – Allows limited circumvention of built-in browser security controls. (Medium)
- CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium)
- CVE-2025-13019: DOM Workers Origin Bypass – May expose cross-origin content or enable script injection. (Medium)
- CVE-2025-13013: DOM Core/HTML Mitigation Bypass – Allows controlled bypass of HTML sanitization in certain contexts. (Medium)
- CVE-2025-13014: Audio/Video Use-After-Free – Memory mismanagement issue that could leak multimedia data or crash browser. (Medium)
- CVE-2025-13015: Firefox UI Spoofing – Interface rendering flaw may allow deceptive UI elements. (Low)
Recommendations:
- Update all Firefox to version 145 immediately to mitigate the vulnerabilities.
Here are some recommendations below
- Enable automatic browser updates across all systems.
- Perform vulnerability scans to ensure no outdated browser versions remain.
- Restrict use of WebGPU or WebAssembly APIs in enterprise environments unless essential.
- Educate employees about risks from phishing, drive-by downloads and malicious extensions.
Conclusion:
The Firefox 145 update is a critical security release addressing sixteen vulnerabilities across graphics, WebGPU, JavaScript engine, DOM, and WebRTC components.
Immediate patching and adherence to strong security hygiene are essential to prevent remote code execution, sandbox escapes, and data leaks. Timely remediation ensures operational continuity and protection of both individual and enterprise users against evolving exploitation techniques targeting browser flaws.
Improving browsing behavior significantly reduces risk exposure of users. Reporters Oskar L and Jamie Nicol highlighted how these bugs exploit WebGPU’s high-performance rendering, a feature increasingly targeted as web apps grow more graphics-intensive.
References:
Critical Firefox 0-Day Vulnerabilities Exploited at Pwn2Own 2025 – Immediate Update Required
Summary: Mozilla Patches Two Critical Zero-Day Vulnerabilities In Firefox.
The Two critical zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) have been discovered in Mozilla Firefox, allowing attackers to execute malicious code through out-of-bounds memory manipulation in the JavaScript engine.
| OEM | Mozilla |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-4918, CVE-2025-4919 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Mozilla has released emergency security updates to address the issues.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| JavaScript Promise OOB Access | CVE-2025-4918 | Firefox | High | Firefox 138.0.4, ESR 128.10.1, 115.23.1 |
| Array Index Confusion | CVE-2025-4919 | Firefox | High | Firefox 138.0.4, ESR 128.10.1, 115.23.1 |
Technical Summary
The two vulnerabilities lie within the JavaScript engine of Mozilla Firefox. CVE-2025-4918 arises from improper handling of JavaScript Promise objects, leading to out-of-bounds memory access. CVE-2025-4919 involves an integer overflow during array index calculations, resulting in memory corruption.
Both vulnerabilities can be exploited by tricking users into visiting a malicious website, allowing attackers to gain code execution capabilities within the browser.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-4918 | Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1 | Improper memory boundary handling in JavaScript Promise resolution leads to out-of-bounds read/write | Remote Code Execution |
| CVE-2025-4919 | Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1 | Array index miscalculation during optimization routines allows memory corruption via out-of-bounds access | Remote Code Execution |
Remediation:
- Update Firefox: Mozilla has released patched versions that fix these vulnerabilities. Users and administrators should immediately update to the latest versions:
- Firefox 138.0.4 or later
- Firefox ESR 128.10.1 or later
- Firefox ESR 115.23.1 or later
Recommendations:
- Temporary Workarounds (if immediate update is not possible):
- Avoid visiting unfamiliar or suspicious websites.
- Use browser security extensions to restrict or disable JavaScript execution.
- Consider using application whitelisting or sandboxing to restrict browser-based activities.
- Enterprise Recommendation:
- Deploy Firefox updates across managed environments using enterprise software deployment tools.
- Monitor threat intelligence feeds and endpoint protection logs for any signs of exploitation
Conclusion:
The vulnerabilities CVE-2025-4918 and CVE-2025-4919 pose critical risks as they can be exploited for remote code execution via malicious JavaScript. These flaws were responsibly disclosed and demonstrated at Pwn2Own 2025, a leading security research competition held in Berlin.
- CVE-2025-4918 was discovered and demonstrated by Edouard Bochin and Tao Yan from Palo Alto Networks, involving an out-of-bounds write in the handling of JavaScript Promise objects.
- CVE-2025-4919 was discovered by security researcher Manfred Paul, who exploited a memory corruption issue through array index manipulation.
Both researchers participated through Trend Micro’s Zero Day Initiative (ZDI), and their demonstrations earned top scores and prizes. Mozilla has responded swiftly with fixes, and users are strongly urged to update immediately.
Staying current with software patches remains a vital defense against modern web-based threats.
The updates, which cover Firefox on both desktop and Android platforms, as well as two Extended Support Releases (ESR), were issued just hours after the event concluded on Saturday—immediately following the public demonstration of the second vulnerability.
References: