Mozilla has released an emergency security update to address two critical vulnerabilities in Firefox that could allow attackers to execute malicious code on users’ systems.
The vulnerabilities affect multiple versions of the popular web browser and require immediate attention from users. Security experts warn that exploitation requires little user interaction.
A remote attacker can trick the victim into visiting a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.
.png
)
Critical Firefox Vulnerabilities
Security researchers have discovered two severe out-of-bounds vulnerabilities (CVE-2025-4918 and CVE-2025-4919) in Firefox’s JavaScript engine that could be exploited to compromise affected systems.
These flaws were identified by security experts working with Trend Micro’s Zero Day Initiative and have been classified as “critical” by Mozilla due to their potential impact.
The first vulnerability, tracked as CVE-2025-4918, involves an out-of-bounds read or write vulnerability when handling JavaScript Promise objects.
According to Mozilla’s security advisory, “An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object”. This flaw was uncovered by Edouard Bochin and Tao Yan from Palo Alto Networks.
The second vulnerability, CVE-2025-4919, enables attackers to “perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes”. This vulnerability was reported by security researcher Manfred Paul.
Both vulnerabilities could potentially allow remote attackers to execute arbitrary code on victims’ systems by tricking users into visiting maliciously crafted websites.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-4918 CVE-2025-4919 | Mozilla Firefox < 138.0.4Mozilla Firefox ESR < 128.10.1Mozilla Firefox ESR < 115.23.1 | Execute Malicious Code | Attacker must trick user into visiting a maliciously crafted web page (user interaction required) | 8.8 (High) |
Affected Versions
The security flaws impact multiple Firefox versions:
- Firefox versions prior to 138.0.4.
- Firefox ESR (Extended Support Release) versions prior to 128.10.1.
- Firefox ESR versions prior to 115.23.1.
According to security analysis firm Cybersecurity Help, the affected versions span from Firefox 110.0 through 138.0.3 and Firefox ESR versions 102.0 through 128.10.0.
The CVSS score for these vulnerabilities has been estimated as HIGH with a base score of 8.8, indicating significant risk to affected systems.
Mozilla responded quickly to the vulnerabilities, which were reportedly demonstrated at the Pwn2own 2025 security competition.
Users are strongly advised to update their Firefox installations immediately to the latest versions:
- Firefox 138.0.4.
- Firefox ESR 128.10.1.
- Firefox ESR 115.23.1.
Updates can be applied by selecting “Help” from the Firefox menu and clicking “About Firefox.” Mac users should select “About Firefox” from the Firefox menu.
Security experts emphasize that these vulnerabilities could be actively exploited in the wild, making immediate patching essential for maintaining system security and data integrity.
As browser-based attacks continue to evolve in sophistication, keeping software updated remains one of the most effective defenses against potential security compromises.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
