Mozilla has rolled out critical security updates for its Firefox browser on Windows, just days after Google patched a similar zero-day vulnerability in Chrome that was actively exploited.
Critical Firefox Vulnerability (CVE-2025-2857)
The newly identified security flaw, tracked as CVE-2025-2857, is a sandbox escape vulnerability caused by incorrect handle management.
"Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC [inter-process communication] code," Mozilla stated in its advisory.
According to the company, a compromised child process could manipulate the parent process into returning an excessively privileged handle, leading to a sandbox escape—a serious security risk.
Affected Versions and Fixes
The vulnerability impacts Firefox and Firefox ESR, and has been patched in the following versions:
Firefox 136.0.4
Firefox ESR 115.21.1
Firefox ESR 128.8.1
As of now, there is no evidence that CVE-2025-2857 has been exploited in real-world attacks.
Tor Browser Security Update
In response to the vulnerability, the Tor Project has also released Tor Browser 14.0.8 to protect Windows users from potential threats.
Chrome’s Zero-Day Exploitation (CVE-2025-2783)
Mozilla’s security update comes shortly after Google patched CVE-2025-2783, a Chrome zero-day exploit that was actively used to target:
Media outlets
Educational institutions
Government organizations in Russia
Cybersecurity firm Kaspersky detected the exploit in mid-March 2025. The attack began with victims unknowingly clicking on phishing links, leading them to attacker-controlled websites opened via Chrome.
Once executed, CVE-2025-2783 was used in combination with another unidentified exploit to bypass the browser’s sandbox and achieve remote code execution. However, Google’s patch has effectively disrupted the entire attack chain.
CISA’s Response & Security Recommendations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since included CVE-2025-2783 in its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary patches by April 17, 2025.
Protect Yourself: Update Your Browser
To mitigate potential threats, users are strongly advised to update their browsers to the latest versions immediately.
Firefox users: Update to 136.0.4, ESR 115.21.1, or ESR 128.8.1
Chrome users: Install version 134.0.6998.177/.178
Tor Browser users: Upgrade to 14.0.8
Keeping your browser updated is essential to ensuring robust cybersecurity protection against evolving threats.
Stay Informed on the Latest Cybersecurity Updates
For more cybersecurity insights and threat intelligence, stay tuned to our latest reports and security advisories.