Firefox Addresses Two Zero-Day Vulnerabilities Exploited at Pwn2Own Berlin, Offering $100,000 in Bounty Rewards

Mozilla has released critical security updates to address two significant vulnerabilities in its Firefox browser, which could potentially be exploited to access sensitive data or execute arbitrary code.

The identified vulnerabilities, both demonstrated as zero-day exploits at the Pwn2Own Berlin competition, are as follows:

– CVE-2025-4918: This vulnerability involves an out-of-bounds access when resolving Promise objects, allowing an attacker to perform unauthorized read or write operations on a JavaScript Promise object.
– CVE-2025-4919: This issue pertains to an out-of-bounds access during the optimization of linear sums, potentially enabling an attacker to read from or write to a JavaScript object by manipulating array index sizes.

Successful exploitation of either vulnerability could lead to out-of-bounds read or write operations. This could be leveraged to access sensitive information or cause memory corruption, creating a pathway for arbitrary code execution.

The vulnerabilities affect the following versions of the Firefox browser:

– All versions prior to 138.0.4
– All versions of Firefox Extended Support Release (ESR) prior to 128.10.1
– All versions of Firefox ESR prior to 115.23.1

The vulnerabilities were identified and reported by Edouard Bochin and Tao Yan from Palo Alto Networks for CVE-2025-4918, while the discovery of CVE-2025-4919 has been credited to Manfred Paul.

Both vulnerabilities were publicly demonstrated at the Pwn2Own Berlin hacking contest, where each researcher was rewarded $50,000 for their findings.

Given that web browsers remain a popular vector for malware delivery, it is crucial for users to update their Firefox installations to the latest version to mitigate potential threats.