Critical Firefox 0-Day Flaws Allow Remote Code Execution

Mozilla has urgently patched two critical 0-day vulnerabilities in its popular web browser Firefox, both of which could allow remote attackers to execute malicious code on user systems.

The flaws, tracked as CVE-2025-4918 and CVE-2025-4919, were disclosed on May 17, 2025, and are addressed in Firefox version 138.0.4. Security experts are strongly advising all users to update immediately, as active exploitation in the wild is likely.

The first vulnerability, CVE-2025-4918, was reported by Edouard Bochin and Tao Yan of Palo Alto Networks, working in collaboration with Trend Micro’s Zero Day Initiative.

This flaw revolves around an out-of-bounds access condition that arises when Firefox’s JavaScript engine resolves Promise objects.

JavaScript Promises are widely used for handling asynchronous operations in modern web applications, and improper management of their memory boundaries can open the door for attackers.

By exploiting this flaw, a remote attacker could perform an out-of-bounds read or write operation, potentially leading to data leakage, browser crashes, or even the execution of arbitrary code under the context of the browser.

The underlying technical issue involves the incorrect handling of memory when Promise objects are resolved, allowing crafted JavaScript to manipulate the browser’s internal memory space.

Such vulnerabilities are particularly dangerous as they can often be triggered simply by visiting a malicious web page.

This means attackers do not require any additional user interaction, vastly increasing the risk profile and urgency of the fix.

Array Index Confusion

The second 0-day flaw, tracked as CVE-2025-4919, was discovered by security researcher Manfred Paul, also working with Trend Micro’s Zero Day Initiative.

This vulnerability is rooted in the Firefox JavaScript engine’s optimization routines, specifically when handling linear sums in array operations.

Improper validation during the optimization process can allow an attacker to confuse array index sizes, again permitting out-of-bounds read or write conditions.

An attacker exploiting CVE-2025-4919 could craft malicious JavaScript that manipulates array sizes and indices in such a way that the browser reads from or writes to unexpected areas of memory.

This kind of memory corruption is a common technique for bypassing security controls and ultimately achieving remote code execution.

The revelation that both vulnerabilities impact core aspects of the JavaScript engine-central to all modern web functionality-means the potential impact is extremely broad.

Both vulnerabilities have been rated “critical” by Mozilla, reflecting the highest severity due to the possibility of arbitrary code execution and the likelihood of exploitation in real-world attacks.

They have been publicly disclosed under Mozilla’s security advisory process, with Firefox 138.0.4 serving as the first version that addresses both flaws.

Mozilla has credited the discoverers and the Zero Day Initiative for their responsible disclosure, allowing for the vulnerabilities to be patched before widespread exploitation.

According to the Report, Security researchers and organizations are sounding the alarm: users should install the latest Firefox update immediately, as attackers are known to rapidly incorporate fresh browser exploits into malicious campaigns.

For those unable to update right away, it is strongly recommended to avoid visiting unfamiliar websites and to temporarily disable JavaScript execution through browser settings or security extensions.

Regularly updating browsers and other software remains one of the most effective defenses against these rapidly evolving threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!