Mozilla Patches Critical Firefox Sandbox Escape Following Chrome Zero-Day Fix

Mozilla has rolled out security updates to fix a critical vulnerability in its Firefox browser for Windows, closely following Google’s recent patch for a similar Chrome flaw that was actively exploited as a zero-day attack.

  Privacy & Data Protection   Mar 28, 2025  Add to Reading List
Mozilla Patches Critical Firefox Sandbox Escape Following Chrome Zero-Day Fix

Mozilla has rolled out security updates to fix a critical vulnerability in its Firefox browser for Windows, closely following Google’s recent patch for a similar Chrome flaw that was actively exploited as a zero-day attack.

Firefox Sandbox Escape Vulnerability (CVE-2025-2857)

The newly disclosed security flaw, CVE-2025-2857, is classified as a handle mismanagement issue that could enable a sandbox escape.

"Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC [inter-process communication] code," Mozilla stated in an advisory.

The flaw, which impacts Firefox and Firefox ESR, has been patched in:

  • Firefox 136.0.4

  • Firefox ESR 115.21.1

  • Firefox ESR 128.8.1

At present, there is no evidence suggesting that CVE-2025-2857 has been actively exploited.

Google Chrome Zero-Day (CVE-2025-2783) Exploited in Targeted Attacks

The Firefox update comes in the wake of Google’s emergency fix for CVE-2025-2783, a sandbox escape vulnerability that was exploited in the wild against:

  • Media outlets

  • Educational institutions

  • Government organizations in Russia

According to Kaspersky, attackers lured victims with phishing emails containing malicious links that opened a compromised Chrome browser session. CVE-2025-2783 was likely paired with an additional exploit to bypass sandbox protections and execute remote code.

To mitigate the risk, Google released Chrome version 134.0.6998.177/.178 for Windows, effectively neutralizing the attack chain.

CISA Adds Chrome Vulnerability to Exploited Flaws List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-2783 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies apply patches by April 17, 2025.

Users Urged to Update Firefox and Chrome Immediately

With both Mozilla and Google addressing critical security threats, users are strongly advised to update their browsers immediately to minimize the risk of exploitation.