Mozilla has issued emergency patches to fix two Firefox vulnerabilities exploited during the Pwn2Own hacking competition held in Berlin. The two vulnerabilities were zero-days, part of the 28 total zero-day bugs discovered and exploited in the competition.
Mozilla rated both vulnerabilities as critical, but pointed out that both teams of researchers couldn’t escape their sandbox. The updates have been released for desktop, Android, and two of Firefox’s Extended Support Release (ESR) versions. Users are advised to update to version 138.0.4, ESR 128.10.1, or ESR 115.21.1 as soon as possible.
The discovered zero-days were as follows:
- CVE-2025-4918: This is an out-of-bounds read/write bug in Firefox’s JavaScript engine that arises when resolving Promise objects. Palo Alto Networks security researchers Edouard Bochin and Tao Yan discovered the vulnerability, which earned them $50,000 in bug bounties.
- CVE-2025-4919: This is another out-of-bounds read/write issue on a JavaScript object, but it works by confusing array index sizes instead. The vulnerability was discovered by security researcher Manfred Paul, winning $50,000 in the process.
Since neither of the attacks could break through Mozilla’s sandbox, they’re ineffective in the real world, as they won’t be able to gain access or control over the user’s system. However, Mozilla claims it released a new Firefox version out of “abundance of caution,” and has advised administrators to update their installations despite its limited impact.
There’s also no evidence at the time of writing to suggest that these bugs have been exploited in the wild. However, following their public demonstration at the hacking competition, exploits are expected to appear on the internet soon. As long as you’ve updated Firefox to the latest version available, there’s no need to worry.
In the News: Deepfaked messages are impersonating senior officials; FBI issues warning
