Mozilla released a security advisory to address two critical severity vulnerabilities in Firefox. Tracked as CVE-2025-4919 & CVE-2025-4918, the vulnerabilities may allow attackers to access sensitive data or execute code.
Both vulnerabilities are exploited as a zero-day at Pwn2Own Berlin. Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities.
CVE-2025-4918: Out-of-bounds access when resolving Promise objects
Edouard Bochin and Tao Yan from Palo Alto Networks, working with Trend Micro’s Zero Day Initiative, have discovered and reported the vulnerability to Mozilla. An attacker may exploit the vulnerability to perform an out-of-bounds read or write on a JavaScript Promise object.
CVE-2025-4919: Out-of-bounds access when optimizing linear sums
Manfred Paul, working with Trend Micro’s Zero Day Initiative, discovered and reported the vulnerability to Mozilla. An attacker may exploit the vulnerability to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes.
Affected Versions
- Firefox ESR versions before 128.10.1
- Firefox ESR versions before 115.23.1
Mitigation
Users must upgrade to Firefox ESR 115.23.1 and Firefox ESR 128.10.1 versions to mitigate the vulnerability.
For more information, please refer to the Mozilla security advisory.
Qualys Detection
Qualys customers can scan their devices with QIDs 383252 and 383254 to detect vulnerable assets.
Please follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2025-37/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-38/
