Mozilla has released emergency updates to Firefox and its extended support releases just one day after two critical vulnerabilities were demonstrated during the Pwn2Own Berlin 2025 competition.
The flaws, both affecting JavaScript object handling, were exploited in Firefox's content process but failed to break out of the browser's sandbox.
Firefox, a flagship browser maintained by the Mozilla Foundation, is widely regarded for its open-source codebase, user-centric privacy features, and regular participation in bug bounty and coordinated vulnerability disclosure programs.
The zero-days were revealed during the second and third days of the three-day exploit contest, held in Berlin and organized by Trend Micro's Zero Day Initiative (ZDI). One exploit was authored by Edouard Bochin and Tao Yan from Palo Alto Networks, while the second was delivered by Manfred Paul, a veteran security researcher with a strong Pwn2Own track record. Both teams collaborated with ZDI under responsible disclosure protocols.
Mozilla responded by issuing updates on Saturday, just hours after the final exploit was demonstrated. The patched versions include Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, and the latest Firefox for Android build. These releases address two high-severity vulnerabilities now tracked as CVE-2025-4918 and CVE-2025-4919, both marked critical by Mozilla.
CVE-2025-4918 involved an out-of-bounds read/write in the JavaScript engine when resolving Promise objects. This flaw, submitted by Bochin and Yan, could potentially be leveraged for arbitrary code execution in the content process. The second, CVE-2025-4919, exploited by Paul, abused an array index size confusion during linear sum optimization, also enabling out-of-bounds memory access within the renderer.
Both vulnerabilities were successfully demonstrated during the live competition, earning their researchers $50,000 each. However, neither attack achieved a sandbox escape — a crucial requirement for full system compromise. According to Mozilla, architectural improvements to Firefox's sandbox over the past year were key in limiting the impact of these exploits. The browser's multiprocess model and privilege separation architecture prevented escalation beyond the exploited renderer process.
While Mozilla emphasized that the attacks remained confined to the content process and posed no immediate risk of full system compromise, it still urges all users to upgrade without delay.
Leave a Reply