Mozilla Fixes High-Risk Firefox Vulnerability Similar to Chrome’s Zero-Day

Mozilla has rolled out critical security updates for its Firefox browser on Windows, addressing a severe vulnerability that could allow attackers to break out of the browser’s security sandbox. This comes just days after Google patched a similar flaw in Chrome, which had been actively exploited as a zero-day vulnerability.

The Security Flaw (CVE-2025-2857)

The security issue, identified as CVE-2025-2857, has been classified as a high-risk flaw related to incorrect handle management in Firefox’s inter-process communication (IPC) system. If exploited, this vulnerability could enable a compromised child process to trick the parent process into returning an unintended high-privilege handle, ultimately leading to a sandbox escape.

Mozilla confirmed in its security advisory that this flaw was discovered after analyzing Google’s recent zero-day Chrome exploit (CVE-2025-2783). Firefox developers found a similar pattern in their own IPC code and promptly moved to fix it.

Affected Firefox Versions

The vulnerability impacts multiple versions of Firefox, including:

• Firefox

• Firefox ESR (Extended Support Release)

Mozilla has released the following security updates to patch the flaw:

• Firefox 136.0.4

• Firefox ESR 115.21.1

• Firefox ESR 128.8.1

At this time, there is no evidence that CVE-2025-2857 has been actively exploited in the wild, but users are strongly advised to update their browsers immediately to prevent potential threats.

Tor Browser Also Affected

Since the Tor Browser is based on Firefox, the developers of the privacy-focused browser have also issued a security update. The latest version, Tor Browser 14.0.8, addresses the same vulnerability for Windows users, ensuring a safer browsing experience.

Chrome’s Similar Zero-Day Attack and Its Impact

Mozilla’s patch comes shortly after Google addressed a similar zero-day vulnerability (CVE-2025-2783) in Chrome. Unlike Firefox’s case, Chrome’s vulnerability was already being actively exploited by cybercriminals.

According to cybersecurity firm Kaspersky, the attack targeted media organizations, educational institutions, and government agencies in Russia. The breach was initiated through a malicious phishing email containing a specially crafted link. When victims clicked the link, their Chrome browser opened an attacker-controlled website, which then executed the exploit.

Security researchers believe the attackers chained CVE-2025-2783 with another unknown exploit to bypass Chrome’s sandbox protections and achieve remote code execution on affected systems. The vulnerability was patched in Chrome 134.0.6998.177/.178 for Windows, effectively neutralizing the attack chain.

CISA’s Response and Federal Mitigation Deadline

Given the severity of Chrome’s exploited flaw, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-2783 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies are required to apply the necessary mitigations no later than April 17, 2025, to ensure their systems are secure.

While CVE-2025-2857 (the Firefox vulnerability) has not been exploited in the wild, security experts caution that attackers may try to develop exploits soon, making it critical for all users to update their browsers as soon as possible.

Why Browser Updates Are Essential

Cybercriminals continuously look for new vulnerabilities in popular software like web browsers. Exploiting a browser flaw can grant attackers access to sensitive information, allow them to execute malicious code, or even take full control of a compromised system.

Regular browser updates help:

• Fix security vulnerabilities before they can be exploited.

• Enhance performance and stability for a smoother user experience.

• Ensure compatibility with the latest web technologies and security standards.