Overview of Security Vulnerabilities
Mozilla has issued vital updates aimed at addressing two significant security vulnerabilities in its Firefox browser, now classified as CVE-2025-4918 and CVE-2025-4919. These flaws were notably exploited as zero-day vulnerabilities during the recent Pwn2Own Berlin hacking contest, where the potential for sensitive data exposure and code execution was demonstrated.
Details of Vulnerabilities
CVE-2025-4918 pertains to an out-of-bounds access vulnerability occurring during the resolution of promise objects. This loophole can potentially allow malicious actors to read from or write to a JavaScript promise object, leading to unauthorized data manipulation. Similarly, CVE-2025-4919 highlights another out-of-bounds access vulnerability linked to the optimization of linear sums, which could enable an attacker to interfere with array index sizes, resulting in inappropriate read or write operations on JavaScript objects.
Impact and Recommendations
If successfully exploited, both vulnerabilities could facilitate out-of-bounds read or write actions, creating avenues for attackers to access sensitive information or induce memory corruption, ultimately paving the way for code execution. Affected versions include all Firefox versions prior to 138.0.4, all Firefox Extended Support Release (ESR) versions before 128.10.1, and all Firefox ESR versions before 115.23.1. The exploits were disclosed by researchers Edouard Bochin and Tao Yan from Palo Alto Networks for CVE-2025-4918, and Manfred Paul for CVE-2025-4919. Each of these individuals received a $50,000 reward at the Pwn2Own Berlin event, underscoring the importance of reporting security threats.
Given that web browsers remain prime targets for malware, users are strongly encouraged to update their Firefox installations to the latest version to mitigate potential security threats.
