Mozilla released emergency Firefox patches to combat two critical zero days discovered during the hacking contest Pwn2own. CVE-2025-4918, credited to Edouard Bochin and Tao Yan from Palo Alto Networks, and CVE-2025-4919, credited to Manfred Paul, could potentially be exploited to access sensitive data or perform code execution.
Exploits for both flaws were demonstrated at Pwn2own, but neither attack managed to escape the Firefox sandbox, and therefore did not succeed in taking over vulnerable systems. Despite this, Mozilla recognizes the flaws as dangerous, and urges users to update their browsers to the latest versions.
Vulnerability Details
In-depth information regarding these flaws is currently not publicly available. What we know about these flaws so far is:
- CVE-2025-4918 involves the resolution of Promise objects
- CVE-2025-4919 occurs while optimizing linear sums and is exploited by confusing array index sizes
- They’re both out-of-bounds access flaws
- Both could allow an attacker to perform read or write on a JavaScript object
Affected Products
- All versions of Firefox before 138.0.4 (including Firefox for Android)
- All versions of Firefox Extended Support Release (ESR) before 128.10.1
- All versions of Firefox ESR before 115.23.1
Mozilla recommends that users apply the aforementioned patches as soon as possible.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.