The vulnerabilities, identified as CVE-2025-4918 and CVE-2025-4919, allow attackers to perform out-of-bounds read or write operations on JavaScript objects.

Mozilla aims to enhance its incident response and will continue to seek new security improvements to protect Firefox users worldwide.

The Pwn2Own Berlin 2025 event concluded with over $1 million in prizes awarded, showcasing significant hacks including a breach of Windows 11.

CVE-2025-4918 involves an out-of-bounds access related to Promise objects, while CVE-2025-4919 concerns out-of-bounds access during the optimization of linear sums.

These vulnerabilities were reported by researchers Edouard Bochin and Tao Yan from Palo Alto Networks, who each received $50,000 for their discoveries.

Exploiting these vulnerabilities requires minimal user interaction, making it essential for users to update their browsers without delay.

Mozilla has released critical security updates for Firefox to address two vulnerabilities that were exploited during the recent Pwn2Own Berlin hacking contest.

Despite the critical nature of these flaws, Mozilla confirmed that neither exploit was able to escape the Firefox sandbox, which has been strengthened against such attacks.

In response to the vulnerabilities, Mozilla quickly assembled a global task force to develop and test necessary security fixes.

On May 17, 2025, Mozilla released updated versions of Firefox, including 138.0.4, ESR 128.10.1, and ESR 115.23.1, urging users to upgrade immediately.

Currently, there is no evidence that these vulnerabilities are being actively exploited outside of the Pwn2Own event, but their public demonstration raises concerns about potential real-world attacks.

This year, the Pwn2Own event saw no successful sandbox escapes, highlighting architectural improvements in Firefox's security framework.