CVE-2025-4918

Public Exploit

Description

An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.

References

Link	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1966612	permissions required
https://www.mozilla.org/security/advisories/mfsa2025-36/	vendor advisory
https://www.mozilla.org/security/advisories/mfsa2025-37/	vendor advisory
https://www.mozilla.org/security/advisories/mfsa2025-38/	vendor advisory
https://www.mozilla.org/security/advisories/mfsa2025-40/	vendor advisory
https://www.mozilla.org/security/advisories/mfsa2025-41/	vendor advisory
https://www.vicarius.io/vsociety/posts/cve-2025-4918-detect-firefox-out-of-bounds-write	third party advisory exploit
https://www.vicarius.io/vsociety/posts/cve-2025-4918-mitigate-firefox-out-of-bounds-write	third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2025-4918?: CVE-2025-4918 has been scored as a high severity vulnerability.
How to fix CVE-2025-4918?: To fix CVE-2025-4918, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-4918 being actively exploited in the wild?: It is possible that CVE-2025-4918 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4918?: CVE-2025-4918 affects Mozilla Firefox, Mozilla Firefox ESR, Mozilla Firefox ESR, Mozilla Thunderbird, Mozilla Thunderbird.

Description

Category

CWE-125 – Out-of-bounds Read

References

Frequently Asked Questions