Mozilla fixes Firefox zero-days exploited at hacking contest

Mozilla released emergency security updates to address two Firefox zero-day vulnerabilities demonstrated in the recent Pwn2Own Berlin 2025 hacking competition. The fixes, which include the Firefox on Desktop and Android and two Extended Support Releases (ESR), came mere hours after the conclusion of Pwn2Own, on Saturday, where the second vulnerability was demonstrated. The first flaw, tracked under CVE-2025-4918, is an out-of-bounds read/write issue in the JavaScript engine when resolving Promise objects. The flaw was demonstrated during Day 2 of the competition by Palo Alto Networks security researchers Edouard Bochin and Tao Yan, who earned $50,000 for their discovery. The second flaw, CVE-2025-4919, allows attackers to perform out-of-bounds reads/writes on a JavaScript object by confusing array index sizes. It was discovered by security researcher Manfred Paul, who gained unauthorized access within the program's renderer, winning $50,000 in the process. Although the flaws cons ... Read full article.