Critical Zero-Day Vulnerability Hits Chrome and Firefox, Patches Issued
A dangerous zero-day vulnerability targeting Google Chrome has been found to affect Mozilla Firefox as well, prompting urgent fixes from both companies.
The flaw, identified as CVE-2025-2783, initially led Google to release an emergency patch for Chrome users on Windows. Although Firefox operates on its own browser engine rather than Google’s Chromium, Mozilla discovered that the vulnerability also posed a risk to Firefox users and issued a fix on Thursday.
Exploit Details: More Than Just a Chromium Issue
Google initially attributed the vulnerability to a logic flaw in Mojo, a programming language used by Windows. However, Mozilla’s analysis suggests the problem stems from internal processes on Windows, not Mojo itself.
In a blog post, Mozilla revealed that after analyzing CVE-2025-2783, its developers identified a similar exploit pattern in Firefox’s IPC (Interprocess Communications) code, a Windows mechanism that facilitates data sharing between applications. This vulnerability allows hackers to bypass the browser’s sandbox security layer, which is designed to isolate malicious activity.
“Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code,” Mozilla stated. The company further explained that attackers could manipulate the parent process to leak handles to unprivileged child processes, leading to a sandbox escape.
Patches Released for Affected Versions
The flaw affects only Firefox users on Windows. Mozilla has released patches in the following versions:
-
Firefox 136.0.4
-
Firefox ESR 115.21.1
-
Firefox ESR 128.8.1
Wider Impact: Chromium-Based Browsers Affected
In addition to Firefox and Chrome, other browsers using the Chromium engine—such as Microsoft Edge and Brave—have also issued patches to address CVE-2025-2783.
Exploitation and Real-World Attacks
Antivirus firm Kaspersky has reported that the flaw was recently exploited to deliver spyware to Russian users through phishing emails. Victims were tricked into clicking malicious links, triggering the attack. Although Kaspersky was only able to recover the second stage of the attack—where rogue code was executed remotely—Google’s patch is expected to neutralize the entire attack chain.
Kaspersky plans to release further details about the attack once the Chrome patch reaches most users.
What Users Should Do
To stay protected, users should immediately update their browsers to the latest versions:
✅ Chrome users should apply the emergency patch issued by Google.
✅ Firefox users on Windows should install the updates released in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1.
✅ Users of Chromium-based browsers like Edge and Brave should ensure they are running the latest patched versions.
With the vulnerability already being exploited in the wild, prompt updates are crucial to preventing further attacks.
Newer Articles
- Apple Launches iOS 18.4: Vision Pro Gains Apple Intelligence and EU Expansion
- Massive Data Breach Exposes 1.5 Million Photos from Dating Apps on iOS
- How to Watch the Nintendo Switch 2 Direct Event
