If you’re a Firefox user, you need to update your browser. Mozilla has released a security patch for two zero-day vulnerabilities identified at the recent Pwn2Own hacker contest held in Berlin. Zero-days are critical security flaws that have been actively exploited or publicly disclosed before an official fix is available.
Browsers are targets for malware, and Firefox isn’t the only browser to discover zero-day exploits in recent days. Earlier this month, Google released an emergency patch for Chrome to address a high-severity vulnerability (CVE-2025-4664) that permitted full account takeover—CISA later confirmed that this flaw was being actively exploited in attacks. (If you’re using Chrome, you should consider other privacy-focused browser alternatives anyway.)
Zero-days discovered in Firefox
Both zero-day exploits discovered at Pwn2Own Berlin are out-of-bounds flaws that allow attackers to read or write data, potentially gaining access to sensitive information or permitting code execution. CVE-2025-4918 allows read or write on a JavaScript Promise object (a proxy value for a process that hasn’t been completed yet) while CVE-2025-4919 permits read or write on a JavaScript object (a collection of “properties,” which are associations between keys and values).
CVE-2025-4918 was discovered by Edouard Bochin and Tao Yan from Palo Alto Networks, while CVE-2025-4919 was reported by Manfred Paul—each won $50,000 for their hacks.
The following versions of Firefox are vulnerable to these flaws and should be updated:
-
Firefox before 138.0.4
-
Firefox Extended Support Release (ESR) before 128.10.1
-
Firefox ESR before 115.23.1
-
Firefox for Android
While Mozilla was quick to address these flaws, the company notes that neither broke out of Firefox’s “sandbox,” which would be required in order to take control of a target’s machine. That’s a good sign for Firefox’s overall security, as attackers at previous Pwn2Own competitions successfully broke out of the sandbox. Still, Mozilla recommends all users install the new patches as soon as possible.
How to update Firefox to the latest version
If you’re a Firefox user, make sure your browser is up to date. You can check which version you’re on by going to Firefox > About Firefox. Click the Restart to Update Firefox button if it appears.
