Mozilla Firefox patches critical security vulnerabilities with exploit PoC
Take action: This one is important, and fairly urgent. The exploit PoC is public, so it's just a matter of time before hackers build an exploit. So don't wait. Patch all your Firefox and Firefox based browsers (Waterfox, Tor) NOW. Updating a browser is easy, all your tabs reopen after the patch.
Learn More
Mozilla has released an urgent security update for Firefox web browser to address four critical security vulnerabilities that were successfully exploited during the Pwn2Own Berlin 2025 security event.
Both security issues have been classified by Mozilla as critical:
- CVE-2025-4918 (CVSS score 8.8): Out-of-bounds access when resolving Promise objects. The vulnerability allows attackers to perform an out-of-bounds read or write operation on a JavaScript Promise object, potentially leading to arbitrary code execution.
CVE-2025-4919 (CVSS score 8.8): Out-of-bounds access when optimizing linear sums. This vulnerability enables attackers to perform an out-of-bounds read or write on a JavaScript object by manipulating and confusing array index sizes during optimization.
Both vulnerabilities involve memory safety issues in Firefox's JavaScript engine. The out-of-bounds memory access flaws could potentially allow attackers to execute arbitrary code with the privileges of the user running the browser.
- CVE-2025-4920 (CVSS score 8.8): Out-of-bounds access when resolving Promise objects - This vulnerability allowed attackers to perform unauthorized out-of-bounds read or write operations on JavaScript Promise objects.
- CVE-2025-4921 (CVSS score 8.8): Out-of-bounds access when optimizing linear sums - This vulnerability enabled attackers to perform out-of-bounds read or write operations on JavaScript objects by manipulating array index sizes
he exploitation of these vulnerabilities during Pwn2Own Berlin 2025 demonstrates their viability as attack vectors. Security experts warn that malicious actors may attempt to replicate these exploits, putting users of unpatched Firefox browsers at significant risk.
Mozilla patched the flaws in:
- Firefox Stable: 138.0.4 (updated from 138.0.1)
- Firefox 115 ESR: 115.23.1 (updated from 115.23.0)
- Firefox 128 ESR: 128.10.1 (updated from 128.10.0)
Mozilla currently maintains two ESR branches: one for older operating systems such as Windows 7, and another for current operating systems like Windows 10 and 11. Both ESR branches have received these updates.
Given the critical severity rating and the public demonstration of successful exploitation, Mozilla strongly encourages all Firefox users to install the updates immediately.
