Mozilla has released urgent updates to address a critical security flaw in its Firefox browser for Windows. The vulnerability, CVE-2025-2857, was identified after analyzing a similar exploit found in Google Chrome. Mozilla’s advisory states that a compromised child process could allow a sandbox escape, leading to unintended access to the parent process. The issue was patched in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1, but there is no evidence that the flaw has been exploited.
The flaw is described as an incorrect handle causing a sandbox escape, affecting Firefox and Firefox ESR on Windows.
Mozilla confirmed that the bug was discovered following the release of a similar flaw in Chrome, CVE-2025-2783. That issue had been actively exploited by attackers targeting media outlets, government organizations, and educational institutions. Kaspersky reported that the Chrome vulnerability was used in a phishing campaign to exploit the issue and gain remote code execution.
While the vulnerability CVE-2025-2857 has not been exploited in the wild, Mozilla acted swiftly to release the fix.
The update follows Google’s release of Chrome version 134.0.6998.177/.178, which patched the CVE-2025-2783 flaw after it was linked to real-world attacks. Federal agencies are now required to apply mitigations for CVE-2025-2783 by April 17, 2025, as per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Mozilla’s proactive response highlights the importance of addressing security vulnerabilities as soon as they are discovered.
Users are encouraged to update their browsers to the latest versions to mitigate potential risks associated with this critical flaw. The rapid release of patches for both Firefox and Chrome illustrates the ongoing battle against cyber threats and vulnerabilities in widely used software. Users are advised to regularly check for updates and follow cybersecurity best practices to stay protected from evolving online threats.
