Comprehensive Threat Exposure Management Platform
Mozilla has rushed out emergency updates to fix two critical bugs in Firefox that hackers exploited even before they were publicly known. These flaws, revealed during the Pwn2Own hacking contest, could let attackers mess with browser memory and potentially run malicious code or steal sensitive data. The issues tracked as CVE-2025-4918 and CVE-2025-4919 involve how Firefox handles JavaScript promises and array math. Both vulnerabilities were discovered after being actively exploited during the Pwn2Own Berlin hacking competition, highlighting their real-world impact. These out-of-bounds access issues could allow attackers to gain unauthorized access to sensitive information or execute malicious code on a user’s system. If you’re using Firefox and haven’t updated yet, you’re at risk. Organizations must upgrade to Firefox version 138.0.4, or Extended Support Release versions ESR 128.10.1 and ESR 115.23.1 to stay protected against these critical memory corruption vulnerabilities.
Mozilla has urgently released patches for two critical vulnerabilities affecting its Firefox browser. These security flaws were discovered after being actively exploited during the Pwn2Own Berlin hacking competition, highlighting their real-world impact. Tracked as CVE-2025-4918 and CVE-2025-4919, both vulnerabilities could allow attackers to gain unauthorized access to sensitive information or execute malicious code on a user’s system.
CVE-2025-4918 stems from how Firefox handles JavaScript Promises. The bug leads to an out-of-bounds access issue, meaning an attacker could read or write data outside the normal memory boundaries of a JavaScript object. Similarly, CVE-2025-4919 involves a flaw in how Firefox optimizes specific mathematical operations, which can be exploited to manipulate memory handling. It allows attackers to confuse the way array index sizes are handled, again leading to unauthorized memory access.
If exploited, these vulnerabilities could allow threat actors to carry out actions like stealing private data, bypassing security protections, or crashing and taking control of the browser. In some cases, this might even be used as a steppingstone to launch broader attacks on the system. The risks include full remote code execution essentially letting an attacker run arbitrary code on the victim’s machine.
To stay safe, Mozilla strongly recommends that users update their browsers immediately. The fixes are available in Firefox version 138.0.4, and in the extended support releases ESR 128.10.1 and ESR 115.23.1. Promptly applying these updates is essential to close off the vulnerabilities before they can be further abused in the wild.
Mozilla has released fixed versions to patch these security holes. If you’re using Firefox, go ahead and update it to the latest version 138.0.4. If you’re using the Extended Support Release (ESR), make sure you’re on 128.10.1 or 115.23.1.
To make life easier, turn on automatic updates in your Firefox settings. That way, you’ll always have the latest security fixes without needing to remember to check manually.
While Mozilla has patched the issue, it’s always a good idea to avoid shady websites. You can also install tools to block potentially harmful scripts from running in your browser.
This involves regularly assessing and updating software to address known vulnerabilities. Maintain an inventory of software versions and security patches, and evaluate the security practices of third-party vendors, especially for critical applications and services.
Resource Development
Initial Access
Execution
Get through updates and upcoming events, and more directly in your inbox