Mozilla launched emergency safety updates to handle two Firefox zero-day vulnerabilities demonstrated within the latest Pwn2Own Berlin 2025 hacking competitors.
The fixes, which embrace the Firefox on Desktop and Android and two Prolonged Assist Releases (ESR), got here mere hours after the conclusion of Pwn2Own, on Saturday, the place the second vulnerability was demonstrated.
The primary flaw, tracked underneath CVE-2025-4918, is an out-of-bounds learn/write problem within the JavaScript engine when resolving Promise objects.
The flaw was demonstrated throughout Day 2 of the competitors by Palo Alto Networks safety researchers Edouard Bochin and Tao Yan, who earned $50,000 for his or her discovery.
The second flaw, CVE-2025-4919, permits attackers to carry out out-of-bounds reads/writes on a JavaScript object by complicated array index sizes.
It was found by safety researcher Manfred Paul, who gained unauthorized entry inside the program’s renderer, profitable $50,000 within the course of.
Though the failings represent vital dangers for Firefox, with Mozilla ranking them “essential” in its bulletins, the software program vendor underlined that neither researchers may carry out a sandbox escape, citing focused strengthening on that entrance.
“In contrast to prior years, neither collaborating group was in a position to escape our sandbox this 12 months,” defined Firefox within the announcement.
“We’ve got verbal affirmation that that is attributed to the latest architectural enhancements to our Firefox sandbox which have neutered a variety of such assaults.”
Though there aren’t any indications that the 2 flaws have been exploited exterior of Pwn2Own, their public demonstration may gas actual assaults quickly.
To mitigate this threat, Mozilla engaged a various “process power” from throughout the globe that labored feverishly to develop fixes for the demonstrated exploits, take a look at them, and push out safety updates as quickly as attainable.
Firefox customers are really helpful to improve to model 138.0.4, ESR 128.10.1, or ESR 115.23.1.
Pwn2Own Berlin 2025 concluded on Saturday with over one million USD in payouts and the STAR Labs SG workforce profitable the ‘Grasp or Pwn’ title.
Two Firefox zero-days have been additionally demonstrated final 12 months at Pwn2Own Vancouver 2024, with Mozilla fixing them the subsequent day.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and defend towards them.
