CVE-2025-4918 – This vulnerability allows an attacker to perfor... (How to Fix)

Q: How do I fix CVE-2025-4918?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Browser will check for updates and prompt to install. 4. Restart browser when update completes. 5. Verify version matches patched versions above.

Q: What is the severity of CVE-2025-4918?

CVE-2025-4918 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows an attacker to perform out-of-bounds memory operations on JavaScript Promise objects, potentially leading to arbitrary code execution. It affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. Attackers could exploit this by tricking users into visiting malicious websites.

📋 TL;DR

This vulnerability allows an attacker to perform out-of-bounds memory operations on JavaScript Promise objects, potentially leading to arbitrary code execution. It affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. Attackers could exploit this by tricking users into visiting malicious websites.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, Thunderbird < 138.0.2

Operating Systems: Windows, Linux, macOS, All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special settings required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with system-level privileges, complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Browser crash, memory corruption leading to information disclosure, or limited code execution within browser sandbox.

🟢

If Mitigated

Browser crash with no data loss if sandboxing works properly, or exploit blocked by security controls.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and users regularly visit untrusted websites.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal websites.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires JavaScript execution in browser context. No authentication needed - visiting malicious website is sufficient.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, Thunderbird 138.0.2

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-36/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Browser will check for updates and prompt to install. 4. Restart browser when update completes. 5. Verify version matches patched versions above.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript execution to prevent exploitation

about:config → javascript.enabled = false

Use Content Security Policy

all

Implement strict CSP headers to restrict script execution

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Restrict browser usage to trusted websites only
Implement network filtering to block malicious domains and scripts

🔍 How to Verify

Check if Vulnerable:

Check browser version in About dialog. If version matches affected ranges, system is vulnerable.

Check Version:

Firefox: about:support → Application Basics → Version. Thunderbird: Help → About Thunderbird

Verify Fix Applied:

Verify browser version matches patched versions: Firefox ≥138.0.4, Firefox ESR ≥128.10.1 or ≥115.23.1, Thunderbird ≥128.10.2 or ≥138.0.2

📡 Detection & Monitoring

Log Indicators:

Browser crash logs with memory access violations
Unexpected process termination
High memory usage patterns

Network Indicators:

Requests to known malicious domains hosting exploit code
Unusual JavaScript execution patterns

SIEM Query:

source="browser_logs" AND (event="crash" OR event="memory_violation") AND version<"138.0.4"

📊 Metadata

CVE ID: CVE-2025-4918

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

EPSS Score: 0.2% exploit probability (41.9th percentile)

Published: May 17, 2025

Last Updated: November 3, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1966612 Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-36/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-37/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-38/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-40/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-41/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00046.html
https://www.vicarius.io/vsociety/posts/cve-2025-4918-detect-firefox-out-of-bounds-write Exploit,Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-4918-mitigate-firefox-out-of-bounds-write Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4918, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Firefox by Mozilla

Firefox by Mozilla

Firefox by Mozilla

Thunderbird by Mozilla

Thunderbird by Mozilla

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable JavaScript

Use Content Security Policy

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities