Ethical Hacking News
Mozilla recently faced a critical vulnerability at Pwn2Own Berlin 2025, exposing sensitive data and providing attackers with code execution capabilities. In this article, we explore the details of this security breach and discuss the steps Mozilla has taken to address these issues.
The Mozilla browser was targeted at Pwn2Own Berlin 2025, exposing sensitive data and providing attackers with code execution capabilities.Two vulnerabilities were demonstrated against Firefox: CVE-2025-4918 (out-of-bounds access when resolving Promise objects) and CVE-2025-4919 (out-of-bounds access when optimizing linear sums).The vulnerabilities were zero-day flaws, meaning they had not been previously disclosed to the public.Mozilla released security updates for affected versions of Firefox before 138.0.4, ESR, and other versions.User awareness is also crucial in protecting against security threats, with Mozilla emphasizing the need to keep software up-to-date and be cautious when interacting with unknown sources.
Mozilla, a leading provider of open-source internet browsers, recently faced a critical vulnerability at Pwn2Own Berlin 2025, exposing sensitive data and providing attackers with code execution capabilities. In this article, we will delve into the details of this security breach, examine the vulnerabilities that were exploited, and discuss the steps Mozilla has taken to address these issues.
The Pwn2Own hacking competition is an annual event where researchers and hackers compete against vendors to identify vulnerabilities in their software. This year's event took place at Berlin and featured a range of challenges for participants. In this instance, security researchers demonstrated two new content-process exploits against Firefox, a browser used by millions of people worldwide.
The first vulnerability, CVE-2025-4918, was identified as an out-of-bounds access when resolving Ppomise objects. This means that an attacker could potentially perform an out-of-bounds read or write on a JavaScript Promise object, allowing them to execute arbitrary code. The vulnerability was discovered by Edouard Bochin and Tao Yan from Palo Alto Networks working with Trend Micro's Zero Day Initiative.
The second vulnerability, CVE-2025-4919, was identified as an out-of-bounds access when optimizing linear sums. This means that an attacker could potentially perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. The vulnerability was discovered by Manfred Paul working with Trend Micro's Zero Day Initiative.
Both vulnerabilities were demonstrated as zero-day flaws, meaning that they had not been previously disclosed to the public and were only known to the researchers who discovered them. This is significant because it highlights the importance of bug bounty programs in identifying vulnerabilities before they are exploited by malicious actors.
Mozilla took immediate action to address these vulnerabilities, releasing security updates for all versions of Firefox before 138.0.4, as well as all versions of Firefox Extended Support Release (ESR) before 128.10.1, and all versions of Firefox ESR before 115.23.1. This ensures that users are protected from potential exploitation by these vulnerabilities.
In addition to releasing security updates, Mozilla has also acknowledged the importance of user awareness in protecting against security threats. The company emphasizes the need for users to keep their software up-to-date and to be cautious when clicking on links or opening attachments from unknown sources.
The impact of this vulnerability is significant, particularly given the widespread use of Firefox as a browser. However, it is worth noting that Mozilla has taken swift action to address these vulnerabilities, demonstrating its commitment to user security and privacy.
In conclusion, the recent Pwn2Own Berlin 2025 event exposed critical vulnerabilities in Firefox, highlighting the importance of bug bounty programs and user awareness in protecting against security threats. Mozilla's swift response to these vulnerabilities demonstrates its commitment to user security and privacy, ensuring that users are protected from potential exploitation by these flaws.
Related Information:
https://www.ethicalhackingnews.com/articles/Mozilla-Closes-Security-Loopholes-Pwn2Own-Berlin-2025-Exposes-Critical-Firefox-Vulnerabilities-ehn.shtml
https://securityaffairs.com/178064/security/mozilla-fixed-zero-days-demonstrated-at-pwn2own-berlin-2025.html
https://nvd.nist.gov/vuln/detail/CVE-2025-4918
https://www.cvedetails.com/cve/CVE-2025-4918/
https://nvd.nist.gov/vuln/detail/CVE-2025-4919
https://www.cvedetails.com/cve/CVE-2025-4919/
Published: Mon May 19 14:26:44 2025 by llama3.2 3B Q4_K_M
