Mozilla Firefox users are being urged to update their browsers after two zero-day vulnerabilities were exploited live at an elite hacking competition, exposing critical weaknesses in JavaScript processing.
At a Glance
- Two Firefox zero-day vulnerabilities discovered at Pwn2Own Berlin 2025
- Bugs involve JavaScript Promise objects and array optimization flaws
- Exploits could allow unauthorized code execution, though sandbox remained intact
- Mozilla has released urgent patches for Firefox and Firefox ESR
- Users are strongly advised to update to Firefox 138.0.4 or later
Exploits Uncovered at Pwn2Own Berlin
At this year’s Pwn2Own competition in Berlin, elite researchers Edouard Bochin, Tao Yan, and Manfred Paul identified two zero-day vulnerabilities—now designated CVE-2025-4918 and CVE-2025-4919—within Mozilla Firefox. These out-of-bounds access bugs enabled attackers to read or write data beyond intended bounds by manipulating JavaScript objects or optimization logic.
The findings earned each researcher a $50,000 prize and reinforced the significance of bug bounty programs in preventing real-world exploitation.
Watch a report: Pwn2Own 2025: Day 1 Highlights
Mozilla’s Swift Containment
Mozilla responded within days, releasing patches for Firefox, Firefox ESR, and Firefox for Android. The organization emphasized that while the exploits enabled data tampering, they failed to bypass Firefox’s sandbox—crediting recent architectural upgrades for mitigating full system compromise.
“Neither of the attacks managed to break out of our sandbox,” Mozilla stated, “which is required to gain control over the user’s system.”
How to Protect Yourself
To apply the fix:
- On desktop, open Firefox → Help → About Firefox to trigger the update.
- On Android, update via the Google Play Store.
- Users should update to Firefox 138.0.4 or ESR 128.10.1 immediately.
These updates close the loopholes used in Berlin and reinforce browser defenses against similar exploits.
Industry-Wide Implications
The broader message from Pwn2Own is clear: browser security remains a high-stakes battleground. While Firefox was the target this time, similar vulnerabilities have been reported in Chrome, underscoring the need for constant vigilance.
As zero-day researchers continue to raise the bar, the race between defenders and attackers will only intensify. Today’s update is a critical win for Firefox users—but the battle continues.
