Mozilla Addresses Firefox Zero-Day Vulnerabilities Exploited During Hacking Competition

Mozilla has released urgent security updates to rectify two critical zero-day vulnerabilities in Firefox, which were demonstrated at the recent Pwn2Own Berlin 2025 hacking competition. These updates apply to both the desktop and Android versions of Firefox, as well as to two Extended Support Releases (ESR).

The vulnerabilities were showcased shortly after the conclusion of Pwn2Own, where participants demonstrated the flaws in real-time. The first vulnerability, identified as CVE-2025-4918, is an out-of-bounds read/write issue within the JavaScript engine related to the resolution of Promise objects. This flaw was highlighted during the second day of the competition by security researchers from Palo Alto Networks, Edouard Bochin and Tao Yan, who were awarded $50,000 for their findings.

The second vulnerability, CVE-2025-4919, facilitates out-of-bounds reads/writes on a JavaScript object through manipulation of array index sizes. This flaw was uncovered by researcher Manfred Paul, enabling him to gain unauthorized access to the program’s renderer for which he also received a $50,000 reward.

While Mozilla has classified these vulnerabilities as “critical” due to their potential risk, it is worth noting that both vulnerabilities did not allow for a successful sandbox escape, thanks to enhanced security measures implemented by Mozilla. The company confirmed that no researchers participating in the contest were able to breach its sandbox protections this year, attributing this success to recent architectural improvements.

Despite the absence of confirmed exploitation of these vulnerabilities outside the Pwn2Own event, the public nature of their demonstration raises concerns about imminent real-world attacks. In response, Mozilla mobilized a global task force dedicated to rapidly developing effective solutions, rigorously testing them, and deploying security updates without delay.

Users of Firefox are strongly encouraged to update to version 138.0.4, ESR 128.10.1, or ESR 115.23.1 to ensure their systems are protected against these threats.

The Pwn2Own Berlin 2025 event concluded with over $1 million in awards for competitors, underscoring the ongoing challenges in information security. Similar vulnerabilities were exploited during the previous year’s Pwn2Own Vancouver 2024, with prompt resolutions also provided thereafter.