Mozilla has launched updates to handle a crucial safety flaw impacting its Firefox browser for Home windows, merely days after Google patched an analogous flaw in Chrome that got here beneath energetic exploitation as a zero-day.
The safety vulnerability, CVE-2025-2857, has been described as a case of an incorrect deal with that might result in a sandbox escape.
“Following the current Chrome sandbox escape (CVE-2025-2783), varied Firefox builders recognized an analogous sample in our IPC [inter-process communication] code,” Mozilla mentioned in an advisory.
“A compromised baby course of may trigger the guardian course of to return an unintentionally highly effective deal with, resulting in a sandbox escape.”
The shortcoming, which impacts Firefox and Firefox ESR, has been addressed in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. There is no such thing as a proof that CVE-2025-2857 has been exploited within the wild.
The Tor Venture has additionally shipped a safety replace for the Tor Browser (model 14.0.8) to handle the identical subject for Home windows customers.
The event comes as Google launched Chrome model 134.0.6998.177/.178 for Home windows to repair CVE-2025-2783, which has been exploited within the wild as a part of assaults concentrating on media shops, academic establishments, and authorities organizations in Russia.
Kaspersky, which detected the exercise in mid-March 2025, mentioned the an infection occurred after unspecified victims clicked on a specifically crafted hyperlink in phishing emails and the attacker-controlled web site was opened utilizing Chrome.
CVE-2025-2783 is claimed to have been chained along with one other unknown exploit within the net browser to interrupt out of the confines of the sandbox and obtain distant code execution. That mentioned, patching the bug successfully blocks the complete assault chain.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has since added the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog, requiring that federal businesses apply the required mitigations by April 17, 2025.
Customers are beneficial to replace their browser cases to the newest variations to safeguard towards potential dangers.