Critical Firefox 0-Day Flaws Enable Remote Code Execution

Mozilla has urgently released Firefox 138.0.4, addressing two critical security vulnerabilities that were successfully exploited during the Pwn2Own Berlin 2025 hacking competition.

The flaws, tracked as CVE-2025-4918 and CVE-2025-4919, impact both the standard and Extended Support Release (ESR) versions of the browser, prompting a swift response from Mozilla’s security team.

Background: Pwn2Own Exploits Prompt Rapid Response

The vulnerabilities came to light after security researchers demonstrated working exploits against Firefox at Pwn2Own Berlin 2025, a premier event where top security experts showcase zero-day attacks.

While the exploits did not escape Firefox’s sandbox security feature that isolates browser processes, they were deemed severe enough to warrant immediate action.

Mozilla responded by releasing patched versions within hours of the public demonstration, continuing its tradition of rapid incident response.

Details of the Vulnerabilities

CVE-2025-4918: Out-of-Bounds Access in JavaScript Promise Objects

• Technical Description: This vulnerability allowed attackers to perform out-of-bounds read or write operations on JavaScript Promise objects. Out-of-bounds access occurs when code reads from or writes to memory locations outside the intended buffer, potentially leading to arbitrary code execution or data leakage.
• Root Cause: The flaw was triggered during the resolution of JavaScript Promise objects, a core feature for handling asynchronous operations in modern web applications.
• Reporter: Edouard Bochin and Tao Yan from Palo Alto Networks, working with Trend Micro’s Zero Day Initiative.
• Impacted Versions: Firefox versions before 138.0.4, Firefox ESR before 128.10.1, and Firefox ESR before 115.23.1.

CVE-2025-4919: Out-of-Bounds Access via Array Index Confusion

• Technical Description: This vulnerability involved out-of-bounds read or write on JavaScript objects by confusing array index sizes during linear sum optimizations.
• Attackers could manipulate array indices to access memory outside the bounds of the array, a classic vector for exploiting memory corruption bugs.
• Root Cause: The issue arose from improper optimization of linear sums in JavaScript code, which could be abused to bypass internal safety checks.
• Reporter: Manfred Paul, also working with Trend Micro’s Zero Day Initiative.
• Impacted Versions: Same as above- Firefox < 138.0.4, Firefox ESR < 128.10.1, and Firefox ESR < 115.23.1.

Severity and Impact

Both vulnerabilities received a “critical” rating, the highest severity level assigned by Mozilla.

While the sandbox prevented the exploits from achieving full system compromise during the competition, successful exploitation could still allow attackers to execute arbitrary code within the browser context, steal sensitive data, or potentially chain with other vulnerabilities for broader attacks.

Update Instructions and Mitigation

Mozilla advises all users and administrators to update Firefox immediately.

Most installations will update automatically, but users can manually trigger the update by navigating to Menu > Help > About Firefox, which will check for and install the latest version.

Patched Versions:

• Firefox Stable: 138.0.4
• Firefox ESR: 128.10.1 and 115.23.1

Industry Response and Best Practices

Mozilla’s rapid patch deployment underscores the importance of timely security updates in the face of active exploitation.

The company’s mature release management and bug bounty programs have enabled it to respond quickly to critical threats, maintaining user trust and browser integrity.

Technical Note:
Out-of-bounds vulnerabilities, such as those in CVE-2025-4918 and CVE-2025-4919, often arise from improper bounds checking in memory operations.

In JavaScript, this can be particularly dangerous due to the dynamic and complex nature of objects and arrays.

Example code that could trigger such a bug might resemble:

javascriptlet arr = [1, 2, 3];
arr[1000] = 42; // Potential for out-of-bounds access if not properly handled internally

With exploits already demonstrated in the wild, immediate action is essential.

Users should ensure their browsers are updated to Firefox 138.0.4 or the latest ESR versions to remain protected against these critical threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates