Mozilla Releases Security Updates for Firefox and Firefox ESR
Mozilla releases security updates addressing two critical vulnerabilities that could lead to an out-of-bounds read or write on a JavaScript object
Summary
Mozilla releases security updates addressing two critical vulnerabilities that could lead to an out-of-bounds read or write on a JavaScript object
Affected platforms
The following platforms are known to be affected:
Threat details
Out-of-bounds access exploits against Firefox and Firefox ESR
The NHS England National CSOC assesses that the vulnerabilities identified as CVE-2025-4918 and CVE-2025-4919 were exploited by security researchers during the Pwn2Own security hacking competition.
Introduction
Mozilla has released three security advisories to address two critical vulnerabilities in Firefox and Firefox ESR.
- CVE-2025-4918 is an 'out-of-bounds access when resolving promise objects' vulnerability. If exploited, could allow an attacker to perform an out-of-bounds read or write on a JavaScript Promise object.
- CVE-2025-4919 is an 'out-of-bounds access when optimizing linear sums' vulnerability. If exploited, could allow an attacker to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes.
Remediation advice
Affected organisations are encouraged to review the Mozilla Foundation Security Advisories and apply the relevant updates as soon as practicable. These advisories are detailed below for clarity.
Remediation steps
| Type | Step |
|---|---|
| Patch |
Firefox | 138.0.4 https://www.mozilla.org/en-US/security/advisories/mfsa2025-36 |
| Patch |
Firefox ESR | 115.23.1 https://www.mozilla.org/en-US/security/advisories/mfsa2025-38/ |
| Patch |
Firefox ESR | 128.10.1 https://www.mozilla.org/en-US/security/advisories/mfsa2025-37/ |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 19 May 2025 1:37 pm