Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
The security vulnerability, CVE-2025-2857, has been described as a case of an incorrect handle that could lead to a sandbox escape.
“Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC [inter-process communication] code,” Mozilla said in an advisory.
“A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape.”
The shortcoming, which affects Firefox and Firefox ESR, has been addressed in Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. There is no evidence that CVE-2025-2857 has been exploited in the wild.
The development comes as Google released Chrome version 134.0.6998.177/.178 for Windows to fix CVE-2025-2783, which has been exploited in the wild as part of attacks targeting media outlets, educational institutions, and government organizations in Russia.
Kaspersky, which detected the activity in mid-March 2025, said the infection occurred after unspecified victims clicked on a specially crafted link in phishing emails and the attacker-controlled website was opened using Chrome.
CVE-2025-2783 is said to have been chained together with another unknown exploit in the web browser to break out of the confines of the sandbox and achieve remote code execution. That said, patching the bug effectively blocks the entire attack chain.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring that federal agencies apply the necessary mitigations by April 17, 2025.
Users are recommended to update their browser instances to the latest versions to safeguard against potential risks.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
The Hacker News
