Firefox Zero-Day Vulnerabilities Exploited At Pwn2own Hacking Competition

Multiple critical vulnerabilities in Mozilla Firefox were exploited during the Pwn2Own 2024 hacking contest. These zero-day vulnerabilities allowed remote attackers to execute arbitrary code, posing a severe risk to users. Mozilla has issued patches addressing these flaws across Firefox versions.

Severity Level: Critical

VULNERABILITY OVERVIEW:

1. Mozilla has issued security updates to address two critical vulnerabilities in its Firefox browser that could be exploited to access sensitive data or execute arbitrary code.
2. Both flaws were actively exploited as zero-days during the recent Pwn2Own Berlin 2025 hacking competition where each team received a $50,000 reward for their findings.
3. The updates, which cover Firefox on both desktop and Android platforms, as well as two Extended Support Releases (ESR), were issued just hours after the event concluded on Saturday—immediately following the public demonstration of the second vulnerability.
4. Vulnerability Details:
   • CVE-2025-4918 – An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perfom read or write on a JavaScript engine.
   • CVE-2025-4919 – An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes
5. Affected Firefox Versions
   • Firefox versions prior to 138.0.4
   • Firefox ESR versions prior to 128.10.1
   • Firefox ESR versions prior to 115.23.1
6. Exploitation of either vulnerability could lead to out-of-bounds memory access, enabling attackers to bypass security boundaries, access confidential information, or trigger memory corruption that may result in remote code execution.
7. There is currently no evidence that these vulnerabilities have been exploited outside of the Pwn2Own competition. However, given their public exposure, Mozilla acted quickly to prevent potential real-world attacks.

Recommendations:

1. Users are strongly advised to update Firefox to v138.0.4, and Firefox ESR to v128.10.1 or v115.23.1 as soon as possible.
2. Consider applying strict content security policies and network segmentation to limit browser-based threats.
3. Enable Enhanced Tracking Protection: Available in Firefox settings.

Source:

• https://www.bleepingcomputer.com/news/security/mozilla-fixes-firefox-zero-days-exploited-at-hacking-contest/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-36/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-37/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-38/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.