CVE-2025-4918

Summary

An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefox115.23.1 <= 115.*unaffected
MozillaFirefox128.10.1 <= 128.*unaffected
MozillaFirefox138.0.4 <= *unaffected
MozillaThunderbird128.10.2 <= 128.*unaffected
MozillaThunderbird138.0.2 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References