logo

Mozilla Patches Critical Firefox Bug Similar to Chrome's Recent Zero-Day Vulnerability

SecurityVulnerabilityCVEGoogleWindowsZero Day
Mozilla

Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.

The security vulnerability, CVE-2025-2857, has been described as a case of an incorrect handle that could lead to a sandbox escape.

"Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC [inter-process communication] code," Mozilla said in an advisory.

"A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape."

The shortcoming, which affects Firefox and Firefox ESR, has been addressed in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. There is no evidence that CVE-2025-2857 has been exploited in the wild.

The development comes as Google released Chrome version 134.0.6998.177/.178 for Windows to fix CVE-2025-2783, which has been exploited in the wild as part of attacks targeting media outlets, educational institutions, and government organizations in Russia.

Kaspersky, which detected the activity in mid-March 2025, said the infection occurred after unspecified victims clicked on a specially crafted link in phishing emails and the attacker-controlled website was opened using Chrome.

CVE-2025-2783 is said to have been chained together with another unknown exploit in the web browser to break out of the confines of the sandbox and achieve remote code execution. That said, patching the bug effectively blocks the entire attack chain.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring that federal agencies apply the necessary mitigations by April 17, 2025.

Users are recommended to update their browser instances to the latest versions to safeguard against potential risks.

Nine-Year-Old npm Packages Hijacked to Exfiltrate API Keys via Obfuscated Scripts

PJobRAT Malware Campaign Targeted Taiwanese Users via Fake Chat Apps

Free online web security scanner

Top News:

Oracle denies breach after hacker claims theft of 6 million data records

Oracle denies breach after hacker claims theft of 6 million data records

 March 22, 2025
CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites

CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites

 June 21, 2024
CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)

CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)

 March 27, 2025
Oracle Health breach compromises patient data at US hospitals

Oracle Health breach compromises patient data at US hospitals

 March 28, 2025
New SuperBlack ransomware exploits Fortinet auth bypass flaws

New SuperBlack ransomware exploits Fortinet auth bypass flaws

 March 14, 2025
Microsoft fixes Windows update bug that uninstalled Copilot

Microsoft fixes Windows update bug that uninstalled Copilot

 March 20, 2025