Mozilla Fixes Firefox Zero-Days Exploited at Hacking Contest
Just hours after the conclusion of the Pwn2Own Berlin 2025 hacking competition, Mozilla released emergency security updates to address two critical Firefox zero-day vulnerabilities that were demonstrated during the event. The swift action by the software vendor highlights its commitment to protecting users from newly discovered threats.
The Zero-Day Flaws
The two identified flaws, CVE-2025-4918 and CVE-2025-4919, pose significant risks for Firefox users. The first flaw, tracked under CVE-2025-4918, is an out-of-bounds read/write issue in the JavaScript engine when resolving Promise objects. This vulnerability was demonstrated during Day 2 of Pwn2Own by Palo Alto Networks security researchers Edouard Bochin and Tao Yan, who earned $50,000 for their discovery.
The second flaw, CVE-2025-4919, allows attackers to perform out-of-bounds reads/writes on a JavaScript object by confusing array index sizes. Security researcher Manfred Paul discovered this vulnerability, gaining unauthorized access within the program's renderer and winning $50,000 in the process.
Significance of the Flaws
Although Mozilla rates these flaws as "critical," the software vendor notes that neither researcher was able to perform a sandbox escape. "Unlike prior years, neither participating group was able to escape our sandbox this year," explained Firefox in the announcement. "We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks."
Preventing Real-World Attacks
The public demonstration of these zero-day flaws during Pwn2Own Berlin 2025 could potentially fuel real-world attacks soon. To mitigate this risk, Mozilla engaged a diverse "task force" from across the globe to develop fixes for the demonstrated exploits, test them, and push out security updates as soon as possible.
Recommended Updates
Firefox users are recommended to upgrade to version 138.0.4, ESR 128.10.1, or ESR 115.23.1 to ensure they have the latest security patches installed. This proactive move demonstrates Mozilla's commitment to protecting its users from emerging threats.
Pwn2Own Berlin 2025 Recap
The competition concluded on Saturday with over a million USD in payouts and the STAR Labs SG team winning the 'Master or Pwn' title. The event highlighted the ongoing cat-and-mouse game between security researchers and software vendors, as demonstrated by the quick response to these new Firefox zero-day vulnerabilities.