Mozilla has fixed a security bug in its Firefox for Windows browser that was “being exploited in the wild.”
In a brief update, Mozilla said it updated the browser to Firefox version 136.0.4 after identifying and fixing the new bug, tracked as CVE-2025-2857, which presents a “similar pattern” to a bug that Google patched in its Chrome browser earlier this week.
Anyone exploiting the bug could escape Firefox’s sandbox, which limits the browser’s access to other apps and data on the user’s computer.
The bug also affects other browsers with the same codebase as Firefox for Windows, such as the Tor Browser, which also received a patch updating the browser to 14.0.7.
Kaspersky researcher Boris Larin, who first discovered the Chrome zero-day, confirmed in a post that the root cause of the Chrome bug also affects Firefox. Kaspersky previously linked the use of the exploits to attacks on journalists, employees of educational institutions, and government organizations in Russia.
Related posts:
Apple fixes zero-day bug in Apple Vision Pro that ‘may have been exploited’
North Korean hackers exploited Chrome zero-day to steal crypto
Mozilla Foundation lays off 30% staff, drops advocacy division
Russia-linked hackers exploited Firefox and Windows zero-day bugs in ‘widespread’ hacking campaign