Mozilla Fixes Critical Firefox Vulnerabilities Exploited at Pwn2Own Berlin 2025

In a move to protect its users, Mozilla has released security updates to fix two critical vulnerabilities in the Firefox browser that could be potentially exploited to access sensitive data or achieve code execution. These vulnerabilities were recently demonstrated during the Pwn2Own Berlin 2025 hacking contest, where security researchers showcased their ability to bypass various security measures.

The latest Firefox versions, specifically Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, and Firefox for Android, have been updated to address these critical vulnerabilities. According to Mozilla's Security Blog, the company has taken proactive measures to ensure user safety, releasing the updates just hours after the second exploit was announced.

Two content-process exploits were demonstrated at Pwn2Own Berlin 2025, highlighting two zero-day flaws in Firefox. The first vulnerability, CVE-2025-4918, is an out-of-bounds access when resolving Ppomise objects. An attacker could perform an out-of-bounds read or write on a JavaScript Promise object, potentially leading to sensitive data exposure.

The second vulnerability, CVE-2025-4919, is an out-of-bounds access when optimizing linear sums. An attacker could exploit this by performing an out-of-bounds read or write on a JavaScript object, confusing array index sizes. Both vulnerabilities were discovered by security researchers from Palo Alto Networks and Trend Micro's Zero Day Initiative.

The affected Firefox versions include all prior iterations before 138.0.4 (including Firefox for Android), as well as previous versions of Firefox Extended Support Release (ESR) before 128.10.1, and all versions of Firefox ESR before 115.23.1.

Recommendation

"Out of abundance of caution, we recommend that all users and administrators update Firefox as soon as possible," advises Mozilla. "Despite the limited impact of these attacks, it is essential to prioritize user safety and security." We urge everyone to stay vigilant and keep their browsers up-to-date to prevent potential exploitation.

Stay Informed

For the latest updates on Firefox security and Pwn2Own Berlin 2025, follow us on Twitter: @securityaffairs. Additionally, you can find more information on Facebook and Mastodon.