Mozilla wasted no time and released urgent security patches to fix two zero-day vulnerabilities in Firefox that were exposed during the Pwn2Own Berlin 2025 hacking contest. The updates, which cover both the desktop and Android versions, as well as extended support editions (ESR), came out just hours after the event ended, just as the second flaw was demonstrated.
The first of these vulnerabilities, identified as CVE-2025-4918, has to do with an out-of-bounds read/write bug in the JavaScript engine, specifically when handling Promise objects. Yes, it sounds technical, but in short: it could open the door for someone to execute malicious code if not patched quickly.
The second day of Pwn2Own Berlin 2025 brought a rather shocking demonstration: security researchers Edouard Bochin and Tao Yan, from the Palo Alto Networks team, managed to exploit a critical flaw in Firefox and took home $50,000 as a reward.
Then came another vulnerability, listed as CVE-2025-4919, which allowed attackers to do reads and writes outside the bounds of a JavaScript object, all because of a mix-up in the index sizes of an array. This was discovered by Manfred Paul, who also gained unauthorized access to the browser renderer... and yes, he earned another $50,000 for his exploit.
Although both vulnerabilities were classified as critical by Mozilla (because they posed a real risk), the good news is that neither of the researchers managed to break the Firefox sandbox, i.e., that “safe zone” that prevents an attack from reaching the rest of the system.
“This year, unlike previous years, no computer managed to escape our protected environment,” Mozilla explained in their statement. They also mentioned that this is due to recent improvements in the sandbox architecture, which have managed to block many types of attacks that previously worked.
Now, although so far there are no signs that these flaws have been exploited outside the contest, the simple fact that they have already been publicly demonstrated could motivate real attackers to try to exploit them.
That's why Mozilla acted fast: it put together an international response team that worked around the clock to analyze the bugs, test fixes and release security updates as soon as possible.
Do you use Firefox? Here's what you should do right now
To stay protected, upgrade to one of these versions now:
-
Firefox 138.0.4
-
Firefox ESR 128.10.1
-
Firefox ESR 115.23.1
The Pwn2Own Berlin 2025 event closed on Saturday with more than $1 million in prize money handed out, and the STAR Labs SG team took home the title of “Master of Pwn.” Fun fact: last year, at Pwn2Own Vancouver 2024, two zero-day bugs in Firefox were also revealed... and, just like now, Mozilla fixed them the next day.
