Mozilla has issued patches for a critical flaw affecting its Firefox browser for Windows. The vulnerability is tracked as CVE-2025-2857 and is an incorrect handle bug that could lead to a sandbox escape. Recently, Google also addressed a similar issue in Chrome that was being exploited as a zero-day.
The issue affected both Firefox and Firefox ESR. Mozilla’s advisory explains the issue as “a compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.” While the original vulnerability discovered in Chrome was being exploited, Mozilla was not aware of any wild attacks exploiting this bug at the time of writing.
The Chrome vulnerability, tracked as CVE-2025-2783, was discovered by Kaspersky researchers Boris Larin and Igor Kuznetsov after a phishing campaign targeting Russian journalists, academics, and government agencies came to light. The campaign sent out emails with fake invitations to an event, and victims who clicked the malicious link were immediately exploited without any further action needed. The exploit allowed the attackers to “bypass Google Chrome’s sandbox protection as if it didn’t even exist,” claim the two Kaspersky researchers in their write-up.
After patching Chrome, Google explained that the issue was caused by an incorrect handle provided in unspecified circumstances in Mojo on Windows. Mojo is Google’s IPC (inter-process communication) library for Chromium-based browsers, which manages sandboxed processes for secure communication. Firefox developers also found issues in their IPC pipeline, leading to the discovery and subsequent patch.
Given that Chromium is a base for popular browsers like Edge, Brave, Opera, Arc, and more, users can expect security updates to drop soon. The Tor browser, which uses Firefox for its base, has already issued a Windows-only emergency update to patch the issue.
In the News: Proton and Vivaldi partner to bring Proton VPN to Vivaldi’s browser
