A subtle but serious security flaw in Firefox’s web browser slipped past a test created by Mozilla within its WebAssembly implementation and went undetected for six months, putting more than 180 million users at risk.

The vulnerability – tracked as CVE-2025-13016 and carrying a “high” CVSS severity score of 7.5 out of 10 – was found in a single line of template code and, if exploited, could have let hackers execute arbitrary code on compromised systems.

“What makes this discovery particularly striking is the gap between the bug’s subtlety and its potential impact,” wrote Stanislav Fort, founder and chief scientist at cybersecurity startup Aisle, which came out of stealth in mid-October with an AI-driven cyber reasoning system. “The vulnerable code passed code review, included a test specifically designed to exercise the same code path, and shipped in multiple Firefox releases.”

In a report about the flaw, Fort wrote that the stack buffer overflow was the result of a “subtle pointer arithmetic error in Firefox’s WebAssembly implementation [that] silently wrote past stack buffers in hundreds of millions of browsers worldwide,” adding that it was “particularly insidious” because it got past a regression test that Mozilla had added along with the vulnerable code in April.

The vulnerability went undetected until Aisle’s autonomous analyzer found it on October 2.

“It took Aisle’s autonomous analyzer to identify what human reviewers and conventional testing missed: a memory safety violation hiding in plain sight within Firefox’s WebAssembly garbage collection logic,” he wrote.

Garbage collection is used to automatically make unused computer memory available.

An Overflow Problem

The vulnerability was found in the part of Firefox’s StableWasmArrayObjectElements template class that determines how it handles copying inline WebAssembly array data. Mismatched pointer types in the template class essentially results in twice as much data being written than what was intended, which leads to an overflow. Another problem is that it starts copying from the wrong storage area.

“The bug becomes exploitable when Firefox’s WebAssembly engine needs to create a stable copy of inline array data during garbage collection,” Fort wrote. “The vulnerability could be triggered through WebAssembly code that creates arrays with specific element types and counts, then invokes string conversion operations under memory pressure conditions.”

From there, “when the fast-path NoGC allocation fails, Firefox’s fallback mechanism activates the vulnerable code path. With properly sized arrays, the overflow writes past the stack-allocated vector’s capacity.”

Quick Path to a Fix

According to Aisle’s timeline, the same day that Aisle’s autonomous analyzer detected the vulnerability, Igor Morgenstern, senior researcher at the startup, reported the issue to Mozilla. Two weeks later, Mozilla’s security team confirmed the vulnerability and issued a fix.

“Mozilla’s Yury Delendik [a software engineer at Mozilla] implemented, after our responsible disclosure, a straightforward fix that addresses both issues,” Fort wrote. “The corrected code properly handles type conversions and uses the correct data pointer.”

The security flaw had a far reach, given that it was in all Firefox versions from 143 to early 145, and versions of Firefox ESR (Extended Support Release) before 140.5, which collectively have more than 180 million monthly active users, according to Fort.

A ‘Complete Reset’ Needed

Aisle, which has dual headquarters in San Francisco and Prague, Czech Republic, came out of stealth October 16, with executives arguing that the growing backlog of known vulnerabilities and the speed with which threat actors can exploit a security flaw – and the increasing use of AI by those actors – the industry needs new ways to protect software.

In a blog post announcing the company, founder and CEO Ondrej Vlcek noted that more than 40,000 software vulnerabilities were discovered last year, and that “each one represents potential exposure, and every day the list grows longer. And even the critical ones take organizations on average 45 days to fix. Meanwhile, attackers only need five days to exploit them.”

“This moment calls for a complete reset in how we think about security,” Vlcek wrote. “The old model of scan, prioritize, patch will not scale when organizations already face a backlog of hundreds of thousands of vulnerabilities, and are faced with AI used for offensive purposes. Security teams are locked into a never-ending cycle of remediation that just isn’t hitting the mark anymore.”

Vlcek wrote that Aisle’s Cyber Reasoning System uses AI to discover zero-day flaws, automatically remediate them, and verify every fix before it’s put into production. The company wants to drive the push to reduce the vulnerability backlog to zero.