Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    Mozilla fixes Firefox zero-days exploited at hacking contest

    Karlston

    By Karlston,
    Published Date:

    • 49 views
    • 2 minutes
     Share
    • 49 views
    • 2 minutes

    Mozilla released emergency security updates to address two Firefox zero-day vulnerabilities demonstrated in the recent Pwn2Own Berlin 2025 hacking competition.

     

    The fixes, which include the Firefox on Desktop and Android and two Extended Support Releases (ESR), came mere hours after the conclusion of Pwn2Own, on Saturday, where the second vulnerability was demonstrated.

     

    The first flaw, tracked under CVE-2025-4918, is an out-of-bounds read/write issue in the JavaScript engine when resolving Promise objects.

     

    The flaw was demonstrated during Day 2 of the competition by Palo Alto Networks security researchers Edouard Bochin and Tao Yan, who earned $50,000 for their discovery.

     

    The second flaw, CVE-2025-4919, allows attackers to perform out-of-bounds reads/writes on a JavaScript object by confusing array index sizes.

     

    It was discovered by security researcher Manfred Paul, who gained unauthorized access within the program's renderer, winning $50,000 in the process.

     

    Although the flaws constitute significant risks for Firefox, with Mozilla rating them "critical" in its bulletins, the software vendor underlined that neither researchers could perform a sandbox escape, citing targeted strengthening on that front.

     

    "Unlike prior years, neither participating group was able to escape our sandbox this year," explained Firefox in the announcement.

     

    "We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks."

     

    Although there are no indications that the two flaws have been exploited outside of Pwn2Own, their public demonstration could fuel real attacks soon.

     

    To mitigate this risk, Mozilla engaged a diverse "task force" from across the globe that worked feverishly to develop fixes for the demonstrated exploits, test them, and push out security updates as soon as possible.

     

    Firefox users are recommended to upgrade to version 138.0.4, ESR 128.10.1, or ESR 115.23.1.

     

    Pwn2Own Berlin 2025 concluded on Saturday with over a million USD in payouts and the STAR Labs SG team winning the 'Master or Pwn' title.

     

    Two Firefox zero-days were also demonstrated last year at Pwn2Own Vancouver 2024, with Mozilla fixing them the next day.

     

    Source

     

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of April): 1,811

    RIP Matrix | Farewell my friend  :sadbye:

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...