A scary zero-day attack against Google’s Chrome browser also works on Firefox, Mozilla warns.
The attack, which exploits the flaw CVE-2025-2783, caused Google to rush out an emergency patch for Chrome users on Windows. On Thursday, Mozilla released its own fix, even though Firefox uses its browser engine instead of Google’s Chromium.
The issue is surprising since Google attributed the vulnerability to a logic problem involving “unspecified circumstances in Mojo,” a programming language available for Windows. But in a blog post, Mozilla warned that CVE-2025-2783 also threatens Firefox users after discovering an exploitable behavior with similar characteristics.
Specifically, CVE-2025-2783 offers a way for a hacker to remotely escape the browser’s “sandbox,” a security layer meant to isolate malicious processes.
“Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code,” the company wrote. IPC refers to “interprocess communications,” the mechanism Windows uses to facilitate data-sharing between applications.
So it looks like the vulnerability has more to do with internal processes on Windows rather than the Mojo programming language. Mozilla added, "Attackers were able to confuse the parent process into leaking handles into unprivileged child processes, leading to a sandbox escape.”
The danger only affects Firefox users on Windows. The company issued patches via Firefox 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1.
Recommended by Our Editors
Scram, Scammer: Android Update Can Flag Fraudulent Texts, Calls in Real Time
Russian Hackers Used Zero-Day Attack To Hit Firefox, Tor Users
PSA: Be Careful Around Free File Converters, They Might Contain Malware
Meanwhile, Microsoft’s Edge and the Brave browser, which both use Google’s Chromium engine, also issued patches for CVE-2025-2783.
Antivirus provider Kaspersky warns the flaw was recently exploited to deliver spyware to Russian users through phishing emails. Victims merely needed to click a malicious link in the emails for the attack to execute. Kaspersky plans on publishing more details about the attack once the Chrome patch has reached most users.
That said, the company was only able to recover the second stage of the attack, not the first, which can remotely execute rogue computer code on Chrome. Still, Google's patch should nullify the entire attack chain, Kaspersky says.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
I've been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.
Read Michael's full bio
Read the latest from Michael Kan
- 12 States Sue to Stop Trump's 'Insane Tariff Scheme'
- Popular AI Image Model Site Clamps Down on Risky Content
- Facing Price Hikes, Empty Store Shelves, Trump Hints He'll Lower China Tariffs
- Roku Debuts More Compact Streaming Sticks That Don't Need a Power Outlet
- Major Switch 2 Preorder Demand in Japan May Be Bad News for US Buyers
- More from Michael Kan
