
Firefox 138.0.4, as well as 128.10.1 ESR and 115.23.1 ESR are available as updates. Each update fixes two critical security vulnerabilities.
Mozilla released a security update for Firefox 138, 128 ESR, and 115 ESR last night. Versions 138.0.4, 128.10.1 ESR, and 115.23.1 ESR each close two critical vulnerabilities CVE-2025-4920 and CVE-2025-4921. Both affect JavaScript:
-
CVE-2025-4918: Out-of-bounds access when resolving Promise objects An attacker was able to perform an out-of-bounds read or write on a JavaScript Promise object.
-
CVE-2025-4919: Out-of-bounds access when optimizing linear sums An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes.
According to the release notes, no further changes were made. The update itself should already be distributed via the browser's update function.