CVE-2025-4919
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability affects...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- May 17, 2025
- Published Date
- May 17, 2025
- Last Updated
- May 22, 2025
- Vendor
- Mozilla
- Product
- Firefox, Firefox ESR, Thunderbird
- Description
- An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.
CVSS Scores
CVSS v3.1
8.8 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
- Score
- 0.05% (Percentile: 14.04%) as of 2025-06-14
SSVC Information
- Exploitation
- none
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (2025-05-24 09:43:42 UTC) Source
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1966614
https://www.mozilla.org/security/advisories/mfsa2025-36/
https://www.mozilla.org/security/advisories/mfsa2025-37/
https://www.mozilla.org/security/advisories/mfsa2025-38/
https://www.mozilla.org/security/advisories/mfsa2025-40/
https://www.mozilla.org/security/advisories/mfsa2025-41/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-05-24 12:00:10 UTC |
Recent Mentions
ZDI-25-291: (Pwn2Own) Mozilla Firefox IonMonkey JIT Compiler Integer Overflow Remote Code Execution Vulnerability
Source: Zero Day Initiative Published Advisories • Published: 2025-05-21 05:00:00 UTC
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-4919.
ZDI-25-292: (Pwn2Own) Mozilla Firefox SpiderMonkey Out-Of-Bounds Write Remote Code Execution Vulnerability
Source: Zero Day Initiative Published Advisories • Published: 2025-05-21 05:00:00 UTC
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-4919.
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel