CVE-2025-4918
An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4,...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- May 17, 2025
- Published Date
- May 17, 2025
- Last Updated
- May 22, 2025
- Vendor
- Mozilla
- Product
- Firefox, Firefox ESR, Thunderbird
- Description
- An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.
CVSS Scores
CVSS v3.1
7.5 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
- Score
- 0.05% (Percentile: 13.81%) as of 2025-06-14
SSVC Information
- Exploitation
- none
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (2025-05-24 09:42:11 UTC) Source
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1966612
https://www.mozilla.org/security/advisories/mfsa2025-36/
https://www.mozilla.org/security/advisories/mfsa2025-37/
https://www.mozilla.org/security/advisories/mfsa2025-38/
https://www.mozilla.org/security/advisories/mfsa2025-40/
https://www.mozilla.org/security/advisories/mfsa2025-41/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-05-24 12:00:16 UTC |
Recent Mentions
Firefox Patches 2 Zero-Days Exploited at Pwn2Own Berlin with $100K in Rewards
Source: TheHackerNews • Published: 2025-05-19 10:37:00 UTC
Mozilla has released security updates to address two critical security flaws in its Firefox browser that could be potentially exploited to access sensitive data or achieve code execution.
The vulnerabilities, both of which were exploited as a zero-day at Pwn2Own Berlin, are listed below -
CVE-2025-4918 - An out-of-bounds access vulnerability when resolving Promise objects that could allow an
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel