Mozilla has moved swiftly to patch two critical zero-day vulnerabilities in Firefox, both of which were exploited during last week’s Pwn2Own 2025 hacking competition in Berlin.
The high-profile event, known for pitting elite security researchers against popular software targets, saw Firefox compromised twice via advanced JavaScript engine exploits. In response, Mozilla released urgent security updates for Firefox and Firefox ESR, addressing the issues within a day.
Security researchers Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks demonstrated a successful exploit against Firefox using an out-of-bounds write vulnerability involving a JavaScript Promise object. This vulnerability, now tracked as CVE-2025-4918, allowed unauthorized memory access that could result in code execution or browser crashes.
The duo’s research earned them $50,000 and 5 Master of Pwn points, a prestigious accolade awarded to standout Pwn2Own participants.
Manfred Paul, a well-known Pwn2Own champion, exploited Firefox’s renderer using a critical integer overflow. Tracked as CVE-2025-4919, the flaw was rooted in a JavaScript array index miscalculation, which could lead to out-of-bounds reads or writes—classic pathways for escalation and remote code execution.
Paul was awarded $50,000 and 5 Master of Pwn points for his creative and precise attack vector.
According to Mozilla, the issues impacted:
- Firefox versions prior to 138.0.4
- Firefox ESR versions prior to 128.10.1
- Firefox ESR versions prior to 115.23.1
Despite the usual 90-day vendor patch window granted by Trend Micro’s Zero Day Initiative (ZDI), Mozilla acted with urgency and transparency. Fixes were rolled out less than a week after the exploits were demonstrated publicly—well ahead of ZDI’s typical disclosure timeline.
Both vulnerabilities underscore the ongoing risks in modern JavaScript engines, where just one memory manipulation can compromise the entire browser. With Firefox being widely used in both personal and enterprise environments, these bugs posed a real and immediate threat—especially in the hands of skilled attackers.
All Firefox users should ensure they are running:
- Firefox 138.0.4 or later
- Firefox ESR 128.10.1 or later
- Firefox ESR 115.23.1 or later
To verify your version, visit Menu → Help → About Firefox.