Mozilla has released emergency security updates to patch two critical zero-day vulnerabilities in Firefox that were demonstrated during the Pwn2Own Berlin 2025 hacking competition.
The vulnerabilities—CVE-2025-4918 and CVE-2025-4919—affect Firefox for Desktop, Android, and two Extended Support Releases (ESR). Mozilla issued the patches just hours after the competition wrapped up on Saturday.
The first flaw, CVE-2025-4918, involves out-of-bounds read/write in the JavaScript engine when resolving Promise objects. It was exploited by Edouard Bochin and Tao Yan from Palo Alto Networks, earning them $50,000.
The second flaw, CVE-2025-4919, enables memory corruption through array index confusion. Security researcher Manfred Paul successfully exploited it to gain unauthorized access within Firefox’s renderer, also receiving $50,000.
While both vulnerabilities are rated “critical”, Mozilla noted that no sandbox escapes were achieved. “This is attributed to the recent architectural improvements to our Firefox sandbox,” Mozilla stated in its advisory.
Mozilla acted swiftly by deploying a global task force to develop and test patches. Users are urged to upgrade to:
- Firefox 138.0.4
- ESR 128.10.1
- ESR 115.23.1
With no signs of real-world exploitation yet, users are advised to update immediately to prevent potential attacks inspired by the public demonstrations.
