Mozilla launched emergency security updates to handle two Firefox zero-day vulnerabilities demonstrated within the latest Pwn2Own Berlin 2025 hacking competitors.
The fixes, which embrace the Firefox on Desktop and Android and two Prolonged Assist Releases (ESR), got here mere hours after the conclusion of Pwn2Own, on Saturday, the place the second vulnerability was demonstrated.
The primary flaw, tracked below CVE-2025-4918, is an out-of-bounds learn/write concern within the JavaScript engine when resolving Promise objects.
The flaw was demonstrated throughout Day 2 of the competitors by Palo Alto Networks security researchers Edouard Bochin and Tao Yan, who earned $50,000 for his or her discovery.
The second flaw, CVE-2025-4919, permits attackers to carry out out-of-bounds reads/writes on a JavaScript object by complicated array index sizes.
It was found by security researcher Manfred Paul, who gained unauthorized entry inside the program’s renderer, successful $50,000 within the course of.
Though the failings represent important dangers for Firefox, with Mozilla score them “crucial” in its bulletins, the software program vendor underlined that neither researchers may carry out a sandbox escape, citing focused strengthening on that entrance.
“Not like prior years, neither taking part group was capable of escape our sandbox this 12 months,” defined Firefox within the announcement.
“We’ve verbal affirmation that that is attributed to the latest architectural enhancements to our Firefox sandbox which have neutered a variety of such assaults.”
Though there aren’t any indications that the 2 flaws have been exploited outdoors of Pwn2Own, their public demonstration may gasoline actual assaults quickly.
To mitigate this threat, Mozilla engaged a various “activity pressure” from throughout the globe that labored feverishly to develop fixes for the demonstrated exploits, take a look at them, and push out security updates as quickly as doable.
Firefox customers are beneficial to improve to model 138.0.4, ESR 128.10.1, or ESR 115.23.1.
Pwn2Own Berlin 2025 concluded on Saturday with over one million USD in payouts and the STAR Labs SG crew successful the ‘Grasp or Pwn’ title.
Two Firefox zero-days have been additionally demonstrated final 12 months at Pwn2Own Vancouver 2024, with Mozilla fixing them the following day.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and easy methods to defend in opposition to them.
