Mozilla released emergency safety updates for Firefox – just a few hours after the completion of the Pwn2own Berlin 2025 hacker competition. The reason was the two critical vulnerabilities of the zero day discovered in the browser and publicly demonstrated directly at the event.
The first vulnerability cve-2025-4918 (estimate of CVSS: 7.5) affects the Firefox JavaScript engine. We are talking about the possibility of reading and recording data outside the permissible boundaries when working with Promise objects. Brash was found by specialists from Palo Alto Networks. For a successful demonstration, they received $ 50,000.
The second vulnerability- cve-2025-4919 (8.8)-also associated with Javascript, but concerns manipulations with indexes arrays. Researcher Manfred Paul showed how to get reading and recording in unacceptable areas of memory to improper processing of the masses. For this performance, he also received $ 50,000.
Both vulnerability are recognized as critical, since they allow potential attackers to intervene in the memory of the process. However, according to the statement mozillas, none of the researchers could go beyond The sandbox of the browser is usually the next step to build a full -fledged chain of attack. The developers associate this with recent architectural changes, which seriously strengthened the protection of the sandbox Firefox. According to them, it was these improvements that neutralized a whole class of attacks, which were successful a year ago.
Although there is no evidence that vulnerabilities are already used in real attacks, their public disclosure at the competition may become a catalyst for attempts to operate in the near future. That is why Mozilla quickly gathered an international team that has prepared, tested and released updates for all the current versions of the browser – both on desktop systems and on Android.
Updates are already available for Firefox 138.0.4 , as well as for long-term support-
The Pwn2own Berlin 2025 competition ended on May 17. The total amount of prizes exceeded a million dollars, and the Master of PWN title was received by the Star Labs SG team