Google’s fixing of CVE-2025-2783, a Chrome zero-day vulnerability exploited by state-sponsored attackers, has spurred Firefox developers to check whether the browser might have a similar flaw – and they found it.
There’s currently no indication that the Firefox bug (CVE-2025-2857) is under active exploitation, but this should not be surprising: according to Statcounter, Chrome is used by 66.3% of internet users worldwide and Firefox only by 2.62%.
About CVE-2025-2857
CVE-2025-2783 has been described as “a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system” by the Kaspersky researchers who flagged it, and was found in Mojo, Chromium’s inter-process communication (IPC) framework.
CVE-2025-2857 was similarly discovered in Firefox’s IPC code, and allowed a compromised child process to make the parent process “return an unintentionally powerful handle, leading to a sandbox escape.”
Mozilla has fixed CVE-2025-2857 in Firefox v136.0.4, Firefox Extended Support Release (ESR) v128.8.1, and Firefox ESR v115.21.1 for Windows. And, since the Tor Browser is built from a modified version of Firefox ESR, the Tor Project has also released an emergency security update (v14.0.8) for Windows users and advised them to update immediately.
Opera browser developers have already backported the security patch for CVE-2025-2783.
Like Opera, Microsoft Edge, the Brave and Vivaldi browsers are also based on Chromium code, and will likely receive a patch for CVE-2025-2783 soon.
Kaspersky researchers said that CVE-2025-2783 initially left them scratching their heads: “Without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.”
They also noted that CVE-2025-2783 was exploited in conjuction with another vulnerability that allowed attackers to achieve remote code execution, but this flaw remains a mystery for now. The researchers have promised to publish a detailed report with technical details about the CVE-2025-2783 exploit, the malware and techniques used by the attackers.
