CVE-2025-4918 - Vulnerability Details

- Out-of-bounds access when resolving Promise objects

Description

An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.

Published: 2025-05-17

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker can trigger an out-of-bounds read or write on a JavaScript Promise object, a type of memory corruption that may lead to arbitrary code execution. The flaw is classified as CWE-125 (Out‑of‑Bounds Read) and CWE-787 (Out‑of‑Bounds Write). The vulnerability allows an attacker to corrupt memory in the JavaScript engine, potentially compromising confidentiality, integrity, and availability of the affected system if exploited.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. The bug was fixed in Firefox 138.0.4, Firefox ESR 128.10.1 and 115.23.1, Thunderbird 128.10.2 and 138.0.2. Older releases of these products, including those packaged in various Red Hat Enterprise Linux channels, remain vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates a severe risk level. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low probability of widespread exploitation. The likely attack vector is the execution of maliciously crafted JavaScript, such as via a web page or email content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.23.1`	unaffected	≤ 115.*
`128.10.1`	unaffected	≤ 128.*
`138.0.4`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`128.10.2`	unaffected	≤ 128.*
`138.0.2`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird:::::-:::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
firefox-0:128.10.1-1.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:8125	2025-05-26T00:00:00Z
thunderbird-0:128.11.0-1.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:8608	2025-06-05T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.10.1-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:8465	2025-06-03T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:128.10.1-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:8060	2025-05-21T00:00:00Z
thunderbird-0:128.11.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:8756	2025-06-10T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
thunderbird-0:128.11.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:8631	2025-06-09T00:00:00Z
firefox-0:128.10.1-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:8639	2025-06-09T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
thunderbird-0:128.11.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:8630	2025-06-09T00:00:00Z
firefox-0:128.10.1-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:8640	2025-06-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
thunderbird-0:128.11.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:8629	2025-06-09T00:00:00Z
firefox-0:128.10.1-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:8645	2025-06-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
thunderbird-0:128.11.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:8629	2025-06-09T00:00:00Z
firefox-0:128.10.1-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:8645	2025-06-09T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
thunderbird-0:128.11.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:8629	2025-06-09T00:00:00Z
firefox-0:128.10.1-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:8645	2025-06-09T00:00:00Z
Red Hat Enterprise Linux 8.8 Telecommunications Update Service
thunderbird-0:128.11.0-1.el8_8	cpe:/a:redhat:rhel_tus:8.8	RHSA-2025:8628	2025-06-09T00:00:00Z
firefox-0:128.10.1-1.el8_8	cpe:/a:redhat:rhel_tus:8.8	RHSA-2025:8807	2025-06-11T00:00:00Z
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
thunderbird-0:128.11.0-1.el8_8	cpe:/a:redhat:rhel_e4s:8.8	RHSA-2025:8628	2025-06-09T00:00:00Z
firefox-0:128.10.1-1.el8_8	cpe:/a:redhat:rhel_e4s:8.8	RHSA-2025:8807	2025-06-11T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:128.10.1-1.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:8049	2025-05-20T00:00:00Z
thunderbird-0:128.11.0-1.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:8607	2025-06-05T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
firefox-0:128.10.1-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:8371	2025-06-02T00:00:00Z
thunderbird-0:128.11.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:8598	2025-06-05T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
firefox-0:128.10.1-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:8369	2025-06-02T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
thunderbird-0:128.11.0-1.el9_2	cpe:/a:redhat:rhel_e4s:9.2	RHSA-2025:8642	2025-06-09T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
firefox-0:128.10.1-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:8370	2025-06-02T00:00:00Z
thunderbird-0:128.11.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:8599	2025-06-05T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox to version 138.0.4 or ESR 128.10.1 or 115.23.1, and upgrade Thunderbird to 128.10.2 or 138.0.2.
For Red Hat Enterprise Linux systems, install the latest security updates that include patched Firefox or Thunderbird binaries.
If a patch cannot be applied immediately, mitigate risk by restricting or disabling JavaScript execution from untrusted sources and employing content‑security policies to isolate untrusted content.

Generated by OpenCVE AI on April 20, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4172-1	firefox-esr security update
Debian DLA	DLA-4194-1	thunderbird security update
Debian DSA	DSA-5932-1	thunderbird security update
EUVD	EUVD-2025-15599	An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.
Ubuntu USN	USN-7663-1	Thunderbird vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00994.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1966612
https://lists.debian.org/debian-lts-announce/2025/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2025/05/msg00046.html
https://nvd.nist.gov/vuln/detail/CVE-2025-4918
https://www.cve.org/CVERecord?id=CVE-2025-4918
https://www.mozilla.org/en-US/security/advisories/mfsa2025-37/#CVE-2025-4918
https://www.mozilla.org/en-US/security/advisories/mfsa2025-40/#CVE-2025-4918
https://www.mozilla.org/security/advisories/mfsa2025-36/
https://www.mozilla.org/security/advisories/mfsa2025-37/
https://www.mozilla.org/security/advisories/mfsa2025-38/
https://www.mozilla.org/security/advisories/mfsa2025-40/
https://www.mozilla.org/security/advisories/mfsa2025-41/
https://www.vicarius.io/vsociety/posts/cve-2025-4918-detect-firefox-out-of-bounds-write
https://www.vicarius.io/vsociety/posts/cve-2025-4918-mitigate-firefox-out-of-bounds-write

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.	An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.
Title	firefox: thunderbird: Out-of-bounds access when resolving Promise objects	Out-of-bounds access when resolving Promise objects

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/05/msg00024.html https://lists.debian.org/debian-lts-announce/2025/05/msg00046.html

Mon, 22 Sep 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00056}`	epss `{'score': 0.00052}`

Tue, 10 Jun 2025 06:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:8.8 cpe:/a:redhat:rhel_e4s:9.2 cpe:/a:redhat:rhel_tus:8.6 cpe:/a:redhat:rhel_tus:8.8
Vendors & Products		Redhat rhel Aus Redhat rhel Tus

Fri, 06 Jun 2025 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els

Tue, 03 Jun 2025 06:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.4
Vendors & Products		Redhat rhel E4s Redhat rhel Eus

Wed, 28 May 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird:::::::: cpe:2.3:a:mozilla:thunderbird:::::-:::*
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Tue, 27 May 2025 03:00:00 +0000

Type	Values Removed	Values Added
Title	firefox: Out-of-bounds access when resolving Promise objects	firefox: thunderbird: Out-of-bounds access when resolving Promise objects
References	https://www.mozilla.org/en-US/security/advisories/mfsa2025-38/#CVE-2025-4918	https://www.mozilla.org/en-US/security/advisories/mfsa2025-37/#CVE-2025-4918 https://www.mozilla.org/en-US/security/advisories/mfsa2025-40/#CVE-2025-4918

Mon, 26 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10.0

Thu, 22 May 2025 13:15:00 +0000

Type	Values Removed	Values Added
Description	An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, and Firefox ESR < 115.23.1.	An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2.
References		https://www.mozilla.org/security/advisories/mfsa2025-40/ https://www.mozilla.org/security/advisories/mfsa2025-41/

Thu, 22 May 2025 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Wed, 21 May 2025 16:30:00 +0000

Type	Values Removed	Values Added
References		https://www.vicarius.io/vsociety/posts/cve-2025-4918-detect-firefox-out-of-bounds-write https://www.vicarius.io/vsociety/posts/cve-2025-4918-mitigate-firefox-out-of-bounds-write

Wed, 21 May 2025 03:00:00 +0000

Type	Values Removed	Values Added
Title		firefox: Out-of-bounds access when resolving Promise objects
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-787
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://nvd.nist.gov/vuln/detail/CVE-2025-4918 https://www.cve.org/CVERecord?id=CVE-2025-4918 https://www.mozilla.org/en-US/security/advisories/mfsa2025-38/#CVE-2025-4918
Metrics	threat_severity `None`	threat_severity `Important`

Mon, 19 May 2025 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 18 May 2025 19:30:00 +0000

Type	Values Removed	Values Added
Description	An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox ESR < 115.23.1.	An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4, Firefox ESR < 128.10.1, and Firefox ESR < 115.23.1.
References		https://www.mozilla.org/security/advisories/mfsa2025-36/ https://www.mozilla.org/security/advisories/mfsa2025-37/

Sat, 17 May 2025 21:30:00 +0000

Type	Values Removed	Values Added
Description		An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox ESR < 115.23.1.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1966612 https://www.mozilla.org/security/advisories/mfsa2025-38/

Subscriptions

Mozilla Firefox Thunderbird

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-05-17T21:07:26.745Z

Updated: 2026-04-13T14:25:54.968Z

Reserved: 2025-05-17T19:40:51.300Z

Link: CVE-2025-4918

Vulnrichment

Updated: 2025-11-03T20:05:17.591Z

NVD

Status : Modified

Published: 2025-05-17T22:15:19.563

Modified: 2026-04-13T15:17:01.407

Link: CVE-2025-4918

Redhat

Severity : Important

Publid Date: 2025-05-17T21:07:26Z

Links: CVE-2025-4918 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object