Critical Firefox 0-Day Vulnerabilities Exploited at Pwn2Own 2025 – Immediate Update Required
Summary: Mozilla Patches Two Critical Zero-Day Vulnerabilities In Firefox.
The Two critical zero-day vulnerabilities (CVE-2025-4918 and CVE-2025-4919) have been discovered in Mozilla Firefox, allowing attackers to execute malicious code through out-of-bounds memory manipulation in the JavaScript engine.
| OEM | Mozilla |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-4918, CVE-2025-4919 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Mozilla has released emergency security updates to address the issues.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| JavaScript Promise OOB Access | CVE-2025-4918 | Firefox | High | Firefox 138.0.4, ESR 128.10.1, 115.23.1 |
| Array Index Confusion | CVE-2025-4919 | Firefox | High | Firefox 138.0.4, ESR 128.10.1, 115.23.1 |
Technical Summary
The two vulnerabilities lie within the JavaScript engine of Mozilla Firefox. CVE-2025-4918 arises from improper handling of JavaScript Promise objects, leading to out-of-bounds memory access. CVE-2025-4919 involves an integer overflow during array index calculations, resulting in memory corruption.
Both vulnerabilities can be exploited by tricking users into visiting a malicious website, allowing attackers to gain code execution capabilities within the browser.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-4918 | Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1 | Improper memory boundary handling in JavaScript Promise resolution leads to out-of-bounds read/write | Remote Code Execution |
| CVE-2025-4919 | Firefox < 138.0.4, ESR < 128.10.1, < 115.23.1 | Array index miscalculation during optimization routines allows memory corruption via out-of-bounds access | Remote Code Execution |
Remediation:
- Update Firefox: Mozilla has released patched versions that fix these vulnerabilities. Users and administrators should immediately update to the latest versions:
- Firefox 138.0.4 or later
- Firefox ESR 128.10.1 or later
- Firefox ESR 115.23.1 or later
Recommendations:
- Temporary Workarounds (if immediate update is not possible):
- Avoid visiting unfamiliar or suspicious websites.
- Use browser security extensions to restrict or disable JavaScript execution.
- Consider using application whitelisting or sandboxing to restrict browser-based activities.
- Enterprise Recommendation:
- Deploy Firefox updates across managed environments using enterprise software deployment tools.
- Monitor threat intelligence feeds and endpoint protection logs for any signs of exploitation
Conclusion:
The vulnerabilities CVE-2025-4918 and CVE-2025-4919 pose critical risks as they can be exploited for remote code execution via malicious JavaScript. These flaws were responsibly disclosed and demonstrated at Pwn2Own 2025, a leading security research competition held in Berlin.
- CVE-2025-4918 was discovered and demonstrated by Edouard Bochin and Tao Yan from Palo Alto Networks, involving an out-of-bounds write in the handling of JavaScript Promise objects.
- CVE-2025-4919 was discovered by security researcher Manfred Paul, who exploited a memory corruption issue through array index manipulation.
Both researchers participated through Trend Micro’s Zero Day Initiative (ZDI), and their demonstrations earned top scores and prizes. Mozilla has responded swiftly with fixes, and users are strongly urged to update immediately.
Staying current with software patches remains a vital defense against modern web-based threats.
The updates, which cover Firefox on both desktop and Android platforms, as well as two Extended Support Releases (ESR), were issued just hours after the event concluded on Saturday—immediately following the public demonstration of the second vulnerability.
References: