184/68 Wednesday, May 21, 2025
Mozilla has released a security update for its Firefox browser to address two zero-day vulnerabilities that were exploited during the Pwn2Own Berlin 2025 hacking contest. These flaws could allow attackers to access sensitive data or execute malicious code in memory, and the exploits earned researchers a combined $100,000 in prize money. Details of the vulnerabilities are as follows:
- CVE-2025-4918: An out-of-bounds access vulnerability triggered during the resolution of a JavaScript Promise object, which could allow attackers to read or write data to unintended memory locations.
- CVE-2025-4919: Another out-of-bounds access flaw caused by the optimization of linear sums during mathematical operations, enabling manipulation of array index sizes to access unauthorized JavaScript object data.
These vulnerabilities affect the following versions of Firefox:
- Firefox prior to version 138.0.4 (including Firefox for Android)
- Firefox Extended Support Release (ESR) prior to version 128.10.1
- Firefox ESR prior to version 115.23.1
The vulnerabilities were discovered and demonstrated at the Pwn2Own event by:
- Edouard Bochin and Tao Yan of Palo Alto Networks for CVE-2025-4918
- Manfred Paul for CVE-2025-4919
Each researcher received $50,000 in rewards for their respective exploits. In its official statement, Mozilla noted that “although the attacks could not escape the sandbox, their severity still warrants urgent updates to the latest Firefox version by users and administrators.” This is especially critical at a time when browsers continue to be primary vectors for malware distribution and system compromise.
Source https://thehackernews.com/2025/05/firefox-patches-2-zero-days-exploited.html
