Mozilla fixes critical Firefox vulnerabilities exploited in attacks
- Mozilla has released emergency updates for Firefox to fix two critical vulnerabilities already exploited in attacks.
- The vulnerabilities were demonstrated at the Pwn2Own security competition in Berlin and were reported by researchers with Trend Micro's Zero Day Initiative.
- Users are urged to update their browsers immediately to mitigate security risks.
In recent days, Mozilla has rolled out emergency updates for its Firefox browser to address two critical security vulnerabilities that had already been exploited in real-life attacks. These updates—Firefox 138.0.4, Firefox Extended Support Release (ESR) 128.10.1, and Firefox ESR 115.23.1—came in the wake of alarming findings from the Pwn2Own security competition held in Berlin. During this event, security researchers successfully demonstrated exploits against Firefox, prompting the urgent need for fixes to protect users from potential threats. The first vulnerability, tracked as CVE-2025-4918, involved an out-of-bounds access flaw within Firefox’s JavaScript engine. This specific issue was reported by researchers Edouard Bochin and Tao Yan from Palo Alto Networks, working together with Trend Micro’s Zero Day Initiative. Mozilla acknowledged the potential for attackers to perform out-of-bounds read or write on a JavaScript Promise object, which necessitated immediate action to safeguard users. The second vulnerability, identified as CVE-2025-4919, pertained to out-of-bounds access during the optimization of linear sums. This issue was discovered by researcher Manfred Paul, also affiliated with Trend Micro’s Zero Day Initiative, and posed similar risks by allowing attackers to exploit JavaScript objects through array index size manipulation. Each researcher was rewarded $50,000 for their critical findings, emphasizing the seriousness of these vulnerabilities. As exploit details were already shared in the hacker community, attackers could readily deploy these methods against unsuspecting users by luring them to malicious websites. This makes it imperative for all Firefox users to update their software immediately. The update can be accessed through the “Help” menu in Firefox, allowing seamless installation. Given the nature of these vulnerabilities and the demonstrations at Pwn2Own, ensuring software is current is essential for user safety. Mozilla's rapid response to address these threats further highlights the ongoing challenges and pressures faced in cybersecurity today, where vulnerabilities can be discovered and exploited in rapid succession, leaving users at risk if timely updates are not performed.