Particle.news
Download on the App Store

Mozilla Issues Emergency Firefox Update to Fix Two Critical Zero-Day Vulnerabilities

The flaws, demonstrated at the Pwn2Own Berlin contest, could allow attackers to exploit JavaScript engine weaknesses if users fail to update promptly.

Overview

  • Mozilla has released Firefox 138.0.4 and updated ESR builds to patch two critical zero-day vulnerabilities discovered at Pwn2Own Berlin 2025.
  • The vulnerabilities, CVE-2025-4918 and CVE-2025-4919, involve out-of-bounds access issues in the JavaScript engine, enabling potential code execution with minimal user interaction.
  • Researchers Edouard Bochin, Tao Yan, and Manfred Paul, who uncovered the flaws, were awarded $50,000 each for their findings during the contest.
  • The flaws have not yet been exploited outside of the contest, but public disclosure increases the risk of real-world attacks, making immediate updates crucial.
  • Affected versions include Firefox before 138.0.4, ESR 128.10.1, ESR 115.23.1, and Firefox for Android; users are urged to update via the browser's 'About Firefox' menu.