Mozilla launched emergency safety updates to handle two Firefox zero-day vulnerabilities demonstrated within the latest Pwn2Own Berlin 2025 hacking competitors.
The fixes, which embody the Firefox on Desktop and Android and two Prolonged Assist Releases (ESR), got here mere hours after the conclusion of Pwn2Own, on Saturday, the place the second vulnerability was demonstrated.
The primary flaw, tracked underneath CVE-2025-4918, is an out-of-bounds learn/write problem within the JavaScript engine when resolving Promise objects.
The flaw was demonstrated throughout Day 2 of the competitors by Palo Alto Networks safety researchers Edouard Bochin and Tao Yan, who earned $50,000 for his or her discovery.
The second flaw, CVE-2025-4919, permits attackers to carry out out-of-bounds reads/writes on a JavaScript object by complicated array index sizes.
It was found by safety researcher Manfred Paul, who gained unauthorized entry inside the program’s renderer, successful $50,000 within the course of.
Though the issues represent vital dangers for Firefox, with Mozilla score them “crucial” in its bulletins, the software program vendor underlined that neither researchers might carry out a sandbox escape, citing focused strengthening on that entrance.
“In contrast to prior years, neither taking part group was in a position to escape our sandbox this yr,” defined Firefox within the announcement.
“We’ve got verbal affirmation that that is attributed to the latest architectural enhancements to our Firefox sandbox which have neutered a variety of such assaults.”
Though there aren’t any indications that the 2 flaws have been exploited outdoors of Pwn2Own, their public demonstration might gas actual assaults quickly.
To mitigate this danger, Mozilla engaged a various “job power” from throughout the globe that labored feverishly to develop fixes for the demonstrated exploits, check them, and push out safety updates as quickly as attainable.
Firefox customers are advisable to improve to model 138.0.4, ESR 128.10.1, or ESR 115.23.1.
Pwn2Own Berlin 2025 concluded on Saturday with over 1,000,000 USD in payouts and the STAR Labs SG crew successful the ‘Grasp or Pwn’ title.
Two Firefox zero-days have been additionally demonstrated final yr at Pwn2Own Vancouver 2024, with Mozilla fixing them the subsequent day.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how one can defend towards them.
