Full Report
Mozilla has released security updates to address two critical security flaws in its Firefox browser that could be potentially exploited to access sensitive data or achieve code execution. The vulnerabilities, both of which were exploited as a zero-day at Pwn2Own Berlin, are listed below - CVE-2025-4918 - An out-of-bounds access vulnerability when resolving Promise objects that could allow an
Analysis Summary
# Vulnerability: Two Zero-Day Out-of-Bounds Access Flaws in Firefox (Pwn2Own Berlin)
## CVE Details
- CVE ID: CVE-2025-4918, CVE-2025-4919
- CVSS Score: Not explicitly provided, but described as "critical."
- CWE: Related to Out-of-Bounds Read (CWE-125) and Out-of-Bounds Write (CWE-787).
## Affected Systems
- Products: Mozilla Firefox, Firefox Extended Support Release (ESR)
- Versions:
- Firefox before 138.0.4
- Firefox ESR before 128.10.1
- Firefox ESR before 115.23.1
- Configurations: Standard browsing environment.
## Vulnerability Description
Two distinct zero-day vulnerabilities were discovered and subsequently patched by Mozilla after being successfully exploited at the Pwn2Own Berlin competition. Both flaws are related to out-of-bounds access in different areas of the JavaScript engine (likely SpiderMonkey):
1. **CVE-2025-4918:** An **out-of-bounds access vulnerability** when resolving Promise objects. Successful exploitation allows an attacker to perform arbitrary read or write operations on a JavaScript Promise object.
2. **CVE-2025-4919:** An **out-of-bounds access vulnerability** when optimizing linear sums, potentially allowing an attacker to confuse array index sizes and perform arbitrary read or write operations on a JavaScript object.
Successful exploitation of either flaw could lead to an out-of-bounds read (sensitive information disclosure) or an out-of-bounds write, potentially resulting in memory corruption and subsequent arbitrary code execution.
## Exploitation
- Status: **Both vulnerabilities were exploited in the wild (in a controlled contest scenario)** at Pwn2Own Berlin.
- Complexity: Implied **Medium/High** as they led to successful zero-day exploits and significant rewards ($50,000 USD each).
- Attack Vector: Likely **Network** via malicious web content delivery.
## Impact
- Confidentiality: High (Potential for sensitive data disclosure via OOB Read).
- Integrity: High (Potential for code execution via OOB Write).
- Availability: Medium (Potential for crash/denial of service, but primary impact is execution).
## Remediation
### Patches
- Firefox: Updated to version **138.0.4** or newer.
- Firefox ESR: Updated to version **128.10.1** or newer.
- Firefox ESR (older branch): Updated to version **115.23.1** or newer.
### Workarounds
- The primary mitigation is immediate patching, as these vulnerabilities were demonstrated actively exploited. No specific workarounds were detailed, but users should avoid untrusted websites until patched.
## Detection
- Detection mechanisms were not detailed in the context provided, as the focus was on patching the issue after exploitation.
- **General Detection:** Monitoring for suspicious memory access patterns or JIT-related crashes could serve as an IoC for similar memory corruption exploits.
## References
- Vendor Advisory (CVE-2025-4918): hxxps://www.mozilla.org/en-US/security/advisories/mfsa2025-36/
- Vendor Advisory (CVE-2025-4919): hxxps://www.mozilla.org/en-US/security/advisories/mfsa2025-37/
- Vendor Advisory (Older ESR): hxxps://www.mozilla.org/en-US/security/advisories/mfsa2025-38/
- Pwn2Own Results Reference: hxxps://www.zerodayinitiative.com/blog/2025/05/16/pwn2own-berlin-2025-day-two-results
- Pwn2Own Results Reference: hxxps://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results