CVE-2025-4919 | THREATINT

Description

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.

PUBLISHED Reserved 2025-05-17 | Published 2025-05-17 | Updated 2026-04-13 | Assigner mozilla

Product status

115.23.1 (rpm)

unaffected

128.10.1 (rpm)

unaffected

138.0.4 (rpm)

unaffected

128.10.2 (rpm)

unaffected

138.0.2 (rpm)

unaffected

Credits

Manfred Paul working with Trend Micro's Zero Day Initiative

References

lists.debian.org/debian-lts-announce/2025/05/msg00046.html

lists.debian.org/debian-lts-announce/2025/05/msg00024.html

bugzilla.mozilla.org/show_bug.cgi?id=1966614

www.mozilla.org/security/advisories/mfsa2025-36/

www.mozilla.org/security/advisories/mfsa2025-37/

www.mozilla.org/security/advisories/mfsa2025-38/

www.mozilla.org/security/advisories/mfsa2025-40/

www.mozilla.org/security/advisories/mfsa2025-41/

cve.org (CVE-2025-4919)

nvd.nist.gov (CVE-2025-4919)

Download JSON

help @ threatint.eu