Mozilla has urgently rolled out a security update for Firefox, fixing two serious zero-day vulnerabilities that were actively exploited during the Pwn2Own Berlin hacking competition. The bugs, now tracked as CVE-2025-4918 and CVE-2025-4919, posed significant risks by allowing attackers to tamper with JavaScript objects, potentially gaining access to sensitive data or executing malicious code.
Both zero-days stemmed from out-of-bounds access issues—critical memory errors that can be weaponized for browser exploits. In CVE-2025-4918, attackers could manipulate JavaScript Promise objects, while CVE-2025-4919 involved confusing array index sizes during optimization, enabling malicious read or write operations on JavaScript arrays.
The flaws affect Firefox versions prior to 138.0.4, as well as outdated versions of Firefox ESR (Extended Support Release) before 128.10.1 and 115.23.1. Mozilla’s quick response follows their disclosure during Pwn2Own Berlin, where ethical hackers demonstrated the exploits and earned a $50,000 reward each for their discoveries.
Security researchers Edouard Bochin and Tao Yan of Palo Alto Networks were recognized for uncovering CVE-2025-4918, while Manfred Paul was credited with identifying CVE-2025-4919.
These vulnerabilities once again highlight how modern web browsers remain prime targets for exploitation, often serving as entry points for more dangerous malware campaigns. While no evidence has emerged showing these flaws were used in the wild before the contest, Mozilla cautions users to update immediately. Keeping browsers up to date is a simple yet essential defense against sophisticated cyber threats.
