SOC Advisory – Two Firefox Zero-Day Vulnerabilities Patched – 20 May 2025

Date: 20 May 2025

Mozilla has released emergency patches for two critical zero-day vulnerabilities in Firefox. Both flaws were successfully demonstrated during the Pwn2Own Berlin 2025 competition and affect the browser’s JavaScript engine. These issues could allow attackers to access or manipulate memory, potentially leading to information disclosure or remote code execution.

While there is no indication of active exploitation in the wild, public demonstration increases the risk of threat actors replicating these attacks. Immediate patching is strongly recommended.

Affected Product

• • Firefox ESR: Versions prior to 128.10.1 and 115.23.1
  • Firefox Desktop and Android: Versions prior to 138.0.4

Vulnerability Overview

CVE-2025-4918

• Type: Out-of-bounds read and write in JavaScript Promise resolution
• Impact: Allows attackers to access or modify memory, which may lead to data leakage or code execution
• Discovered by: Edouard Bochin and Tao Yan (Palo Alto Networks)
• Demonstrated at: Pwn2Own Berlin 2025
• Details: Triggered during the handling of asynchronous Promise objects in the JavaScript engine

CVE-2025-4919

• Type: Array index confusion resulting in out-of-bounds memory access
• Impact: May allow manipulation of memory to achieve code execution
• Discovered by: Manfred Paul
• Demonstrated at: Pwn2Own Berlin 2025
• Details: Exploits a flaw in JavaScript array indexing to bypass memory safety protections

Mitigation and Recommendations

Update Immediately

• Install Firefox 138.0.4 for Desktop and Android
• Install ESR versions 128.10.1 or 115.23.1 depending on your environment

Automate Patch Deployment

• Use endpoint management tools to ensure all devices are up to date

Monitor Browser Behaviour

• Look for unexplained crashes or irregular activity that could indicate exploitation

Communicate with Users

• Instruct users to update their browsers and restart them after installation
• Remind users to avoid untrusted websites and to remain vigilant

Summary for SOC Teams 

• Severity: Critical
• CVE IDs: CVE-2025-4918, CVE-2025-4919
• Affected Product: Mozilla Firefox (Desktop, Android, ESR)

Reference

• The Hacker News: Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin
• BleepingComputer: Mozilla fixes Firefox zero-days exploited at hacking contest
• Mozilla Security Advisories

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.