Mozilla has recently patched two critical zero-day vulnerabilities in its Firefox browser, which were exploited during the Pwn2Own Berlin hacking competition. The flaws could allow attackers to access sensitive data or execute arbitrary code, prompting the company to issue urgent updates for users.

Key Takeaways

• Two critical vulnerabilities (CVE-2025-4918 and CVE-2025-4919) were exploited at Pwn2Own Berlin.

• Each researcher who discovered the flaws received a $50,000 reward.

• Users are urged to update to the latest Firefox versions to mitigate risks.

Overview of the Vulnerabilities

The vulnerabilities identified are:

1. CVE-2025-4918: An out-of-bounds access vulnerability when resolving Promise objects, which could allow an attacker to read or write on a JavaScript Promise object.

2. CVE-2025-4919: An out-of-bounds access vulnerability when optimizing linear sums, enabling an attacker to read or write on a JavaScript object by manipulating array index sizes.

Both vulnerabilities could lead to out-of-bounds read or write operations, potentially allowing attackers to access sensitive information or cause memory corruption, which could facilitate code execution.

Impacted Versions

The vulnerabilities affect the following versions of the Firefox browser:

• All versions of Firefox prior to 138.0.4.

• All versions of Firefox Extended Support Release (ESR) prior to 128.10.1.

• All versions of Firefox ESR prior to 115.23.1.

Researcher Contributions

The vulnerabilities were discovered by:

• CVE-2025-4918: Edouard Bochin and Tao Yan from Palo Alto Networks.

• CVE-2025-4919: Manfred Paul.

Both researchers demonstrated their findings at the Pwn2Own Berlin event, earning a total of $100,000 in rewards for their contributions to browser security.

Importance of Updating

With web browsers being a primary target for malware delivery, it is crucial for users to keep their browsers updated. Mozilla has emphasized the importance of these updates to protect against potential threats that could exploit these vulnerabilities.

Users are encouraged to check for updates and ensure they are running the latest version of Firefox to maintain their security and privacy online.

The swift action taken by Mozilla to address these vulnerabilities highlights the ongoing battle between cybersecurity professionals and malicious actors. As the digital landscape evolves, staying informed and proactive about security measures is essential for all users. As cyber threats grow more sophisticated, staying informed is more important than ever. BetterWorld Technology delivers advanced cybersecurity solutions designed to adapt with the threat landscape—ensuring your business stays protected while continuing to innovate. Take the first step toward stronger security—contact us today for a consultation!

Sources

• Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin with $100K in Rewards, The Hacker News.