Mozilla recently released an urgent security update for its popular Firefox web browser. This critical update addresses two severe vulnerabilities which could allow remote code execution. Multiple versions of this popular web browser are affected requiring users’ immediate careful attention. Security experts warn attackers need very little user interaction to exploit these dangerous flaws. A remote attacker can trick victims into visiting a specially crafted malicious online website. Visiting such a website can trigger an out-of-bounds write allowing arbitrary code execution. Successful exploitation could fully compromise the user’s system and all their sensitive data.
Therefore Mozilla strongly urges all Firefox users to apply these new security patches promptly.
Security researchers have identified two severe out-of-bounds vulnerabilities in Firefox’s JavaScript engine. These flaws are tracked as CVE-2025-4918 and also the separate vulnerability CVE-2025-4919. Experts from Trend Micro’s Zero Day Initiative played a key role in their discovery. Mozilla has officially classified both of these security issues as extremely “critical” in nature. The first flaw CVE-2025-4918 involves out-of-bounds memory access with JavaScript Promise objects. Attackers could perform an out-of-bounds read or write using these manipulated Promise objects. The second flaw CVE-2025-4919 allows similar memory corruption by confusing array index sizes.
Both vulnerabilities could let remote attackers execute arbitrary code through specially crafted websites.
These critical security flaws impact a range of Firefox versions including its ESR builds. Specifically affected are regular Firefox versions released prior to the new version 138.0.4. Additionally Firefox ESR versions before 128.10.1 and before 115.23.1 are also quite vulnerable. Cybersecurity Help noted affected versions span Firefox 110.0 up to the version 138.0.3. The Common Vulnerability Scoring System assigned these flaws a high base score of 8.8. This high CVSS score clearly indicates a significant potential risk to all affected systems. These severe vulnerabilities were reportedly demonstrated live at the Pwn2Own 2025 security competition. Mozilla acted very quickly to develop and then release patches following this public demonstration.
Mozilla strongly advises all users to update their Firefox installations to newest versions immediately. The recommended patched versions are Firefox 138.0.4 and Firefox ESR 128.10.1 or 115.23.1. Users can apply these important updates easily by navigating through the Firefox browser menu. Windows users should select “Help” from the menu and then click on “About Firefox”. Similarly Mac users should select “About Firefox” directly from the main Firefox application menu. Security experts emphasize these vulnerabilities could be actively exploited by attackers in the wild. Therefore immediate patching is absolutely essential for maintaining overall system security and user safety. Keeping all browser software updated is a crucial defense against sophisticated evolving online threats.
Reference:
