Listen to this Post
In an urgent response to newly discovered threats, Mozilla has released critical security updates for its Firefox browser after two dangerous zero-day vulnerabilities were uncovered at the recent Pwn2Own Berlin hacking event. These flaws posed serious risks, potentially allowing cyber attackers to gain unauthorized access to sensitive data or execute malicious code directly on affected systems. The vulnerabilities, identified as CVE-2025-4918 and CVE-2025-4919, highlight the persistent threats web users face and the importance of staying current with browser updates.
Firefox Hit by Two High-Risk Vulnerabilities
Mozilla has swiftly rolled out patches to fix two severe vulnerabilities in the Firefox browser. These flaws, which were actively exploited during the Pwn2Own Berlin competition, could have allowed attackers to manipulate JavaScript Promise objects and array indexes in dangerous ways. Here’s what you need to know:
CVE-2025-4918 involves an out-of-bounds access issue in handling JavaScript Promises. If exploited, an attacker could read or write outside the expected memory range, potentially compromising sensitive data or causing memory corruption.
CVE-2025-4919 is another out-of-bounds access bug, but this time related to how Firefox optimizes linear sums. It allows manipulation of array index sizes, opening the door to arbitrary memory access and possible code execution.
These vulnerabilities were discovered and demonstrated by cybersecurity experts Edouard Bochin, Tao Yan (both from Palo Alto Networks), and Manfred Paul, who earned \$50,000 each for their successful exploitation during the Pwn2Own Berlin contest.
Affected versions of Firefox include:
Firefox versions before 138.0.4
Firefox ESR versions before 128.10.1
Firefox ESR versions before 115.23.1
Given the severity and public demonstration of these flaws, Mozilla advises all users to update their browsers immediately to mitigate the risk of exploitation.
What Undercode Say:
The revelation of CVE-2025-4918 and CVE-2025-4919 underscores a larger trend in cybersecurity: browsers remain a primary target for threat actors, and even the most well-maintained ones are not immune to exploitation. These particular zero-day bugs show how sophisticated modern attacks have become, especially when it comes to manipulating memory in subtle yet dangerous ways.
The use of out-of-bounds access as an attack vector is not new, but it continues to be effective. This is largely because programming languages like C++ (used in Firefox) offer flexibility and performance but often sacrifice safety checks, making them fertile ground for memory corruption exploits.
More alarming is how these flaws were not theoretical—they were proven live in a controlled environment by expert hackers. Pwn2Own competitions simulate real-world attack scenarios and serve as a grim reminder that if white-hat hackers can uncover these flaws, malicious actors might be just as capable.
JavaScript’s flexibility and widespread usage also make it an ideal target. Promise objects and array manipulation are both core components of modern web applications. Attackers exploiting them can potentially breach sandboxed environments or escalate their privileges.
Mozilla’s quick response is commendable, but it also reflects how critical these flaws were. The broader lesson here is about software lifecycle management. Even browsers, updated frequently, still harbor dangerous bugs. Developers must integrate fuzzing, formal verification, and ongoing security audits to stay ahead.
From a user perspective, automatic updates are no longer a convenience—they’re a necessity. With browsers being an essential interface for cloud services, banking, social media, and communication, any security lapse becomes a high-stakes game.
Additionally, enterprise environments running ESR (Extended Support Release) versions of Firefox must be especially cautious. These versions are often used in controlled, corporate settings and may not update automatically. IT administrators should prioritize applying these patches across all endpoints.
The fact that these bugs earned \$100,000 in rewards shows how much value is placed on browser security—and rightly so. Firefox, as an open-source browser, allows for more community-driven oversight, but it also means vulnerabilities might be easier to study for those with ill intent.
In the coming months, expect similar flaws to surface across other browsers, including Chromium-based ones. The push for faster performance and more features must be balanced with robust security practices.
✅ Fact Checker Results:
Both vulnerabilities were confirmed by Mozilla and exploited during Pwn2Own.
CVE-2025-4918 and CVE-2025-4919 are out-of-bounds access flaws.
Patches are now available, and updates are strongly recommended. 🔒🧠🚨
🔮 Prediction:
Given the growing sophistication of attacks targeting browser engines, more zero-day vulnerabilities are likely to emerge throughout 2025. Security researchers and browser developers will need to collaborate more closely than ever to identify and patch these flaws before they can be exploited in the wild. Expect Mozilla to invest in deeper sandboxing and real-time threat detection mechanisms to maintain trust in its ecosystem.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.twitter.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
