Mozilla has launched a crucial security update for its open-source Firefox web browser, addressing two vulnerabilities that were exploited during the 2025 Pwn2Own Berlin security competition.
Key Details:
- Both vulnerabilities have been rated with a critical severity level.
- They were effectively exploited at the Pwn2Own event in Berlin in 2025.
- Updates are now available for both Firefox Stable and Firefox ESR.
Users of the stable version of Firefox are urged to promptly update to version 138.0.4 to protect their data from potential threats posed by these vulnerabilities. Given the successful demonstration of these exploits at the event, there is a likelihood that cybercriminals may try to replicate them.
Both versions of Firefox ESR (Extended Support Release) are also affected. Mozilla currently manages two ESR branches: one supports older operating systems such as Windows 7, whereas the other caters to modern systems including Windows 10 and 11.
Most users should receive the update automatically. However, Firefox users can expedite the installation process by going to Menu > Help > About Firefox. This will trigger an immediate download and installation of the update on desktop systems.
The following are the Firefox versions after applying the update:
- Firefox Stable: 138.0.4
- Firefox 115 ESR: 115.23.1
- Firefox 128 ESR: 128.10.1
Overview of the Two Critical Vulnerabilities
Mozilla provides details regarding the vulnerabilities remedied in this update on its official security advisory page for Firefox. Both have been designated a critical severity rating, the most serious classification available.
- CVE-2025-4920: Out-of-bounds access when resolving Promise objects — An attacker could execute a read or write operation outside the bounds on a JavaScript Promise object.
- CVE-2025-4921: Out-of-bounds access during optimization of linear sums — An attacker could execute an out-of-bounds read or write on a JavaScript object by manipulating array index sizes.
The next major Firefox release will be version 139 Stable, alongside Firefox 115.24 ESR and Firefox 128.11 ESR, which are set to launch concurrently.
Image Credit: monticello/shutterstock
