If you use Firefox, this matters: this update fixes a previously unknown vulnerability

A serious security vulnerability has been discovered and patched in Mozilla Firefox, echoing a recent Chrome zero-day issue. This flaw, if exploited, could allow attackers to escape the browser’s sandbox and run malicious code on a victim’s machine. While Google’s Chrome vulnerability (CVE-2025-2783) was already being used in the wild, Mozilla’s similar bug (CVE-2025-2857) was quietly fixed before any known exploitation.

Firefox’s IPC bug mirrors Chrome’s zero-day

Mozilla developers identified a flaw in Firefox’s IPC (inter-process communication) code, where a compromised child process could force the parent to return a powerful handle. This effectively breaks out of the browser’s sandbox—a key security barrier designed to isolate web content from the rest of the system.

The sandbox is critical to preventing malicious websites from accessing user data or interfering with the operating system. Escaping it gives attackers an open door to install malware or spy on users, making this a high-risk flaw.

The patch and what users need to do

Mozilla has issued a patch and urges users to update immediately to Firefox 136.0.4, Firefox ESR 128.8.1, or ESR 115.21.1. The issue only affects Firefox on Windows; macOS and Linux users are not impacted.

Although the Chrome vulnerability was actively exploited in a campaign dubbed Operation ForumTroll, targeting Russian users via phishing, there’s no evidence yet that the Firefox flaw was abused. However, both bugs share a concerning resemblance, raising alarms across the cybersecurity community.

Users should not delay updating their browsers, as the window for potential attacks remains open for those on older versions.