Mozilla has recently released security updates to rectify two critical vulnerabilities in its Firefox browser, both of which were exploited as zero-day flaws during the Pwn2Own Berlin hacking competition. These vulnerabilities, identified as CVE-2025-4918 and CVE-2025-4919, could potentially allow attackers to access sensitive information or execute arbitrary code on affected systems.
Details of the Vulnerabilities:
1. CVE-2025-4918: This vulnerability involves an out-of-bounds access issue when resolving Promise objects in JavaScript. An attacker could exploit this flaw to perform unauthorized read or write operations on a JavaScript Promise object, potentially leading to information disclosure or code execution.
2. CVE-2025-4919: This flaw pertains to an out-of-bounds access vulnerability during the optimization of linear sums in JavaScript. Exploiting this issue could allow an attacker to manipulate array index sizes, resulting in unauthorized read or write operations on JavaScript objects, which could be leveraged for malicious purposes.
Both vulnerabilities were demonstrated at the Pwn2Own Berlin event, where security researchers showcased their ability to exploit these flaws. Edouard Bochin and Tao Yan from Palo Alto Networks were credited with discovering and reporting CVE-2025-4918, while Manfred Paul identified CVE-2025-4919. Each researcher was awarded $50,000 for their findings.
Affected Versions and Recommendations:
The vulnerabilities impact the following versions of Firefox:
– All versions prior to Firefox 138.0.4, including Firefox for Android.
– All versions of Firefox Extended Support Release (ESR) before 128.10.1.
– All versions of Firefox ESR before 115.23.1.
Mozilla has addressed these issues in the latest releases:
– Firefox 138.0.4
– Firefox ESR 128.10.1
– Firefox ESR 115.23.1
Users are strongly advised to update their browsers to these versions promptly to mitigate potential security risks.
Context and Implications:
The Pwn2Own competitions are renowned for uncovering critical vulnerabilities in widely used software, providing vendors with the opportunity to address these issues before they can be exploited maliciously in the wild. The recent findings at Pwn2Own Berlin underscore the importance of continuous security assessments and prompt patching in maintaining the integrity of software systems.
While Mozilla has stated that neither of the attacks managed to break out of the browser’s sandbox—a security mechanism designed to isolate running programs—there remains a potential risk if these vulnerabilities are combined with other exploits. Therefore, it is crucial for users and administrators to apply the latest updates without delay.
Conclusion:
The discovery and prompt patching of these vulnerabilities highlight the collaborative efforts between security researchers and software vendors in enhancing cybersecurity. By staying vigilant and ensuring that software is up-to-date, users can significantly reduce the risk of falling victim to exploits targeting known vulnerabilities.
