Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users

AI security firm AISLE recently discovered a serious vulnerability in the Firefox web browser that went unnoticed for six months. This flaw could have let attackers run their own instructions on a user’s computer, potentially putting over 180 million users at risk.

****The Cause: A Tiny Coding Error****

The flaw, tracked as CVE-2025-13016, was a subtle coding mistake that existed in a key part of Firefox’s engine that handles WebAssembly (Wasm). WebAssembly is basically a type of code that runs very quickly in your browser, typically used for games and complex web applications.

According to AISLE, the problem was a stack buffer overflow within a memory feature called Garbage Collection (GC). For your information, GC is a mechanism that automatically frees up unused computer memory.

The error was a single line of incorrect math involving memory pointers (like address tags). This allowed too much data to be written into a temporary spot, corrupting other memory.

Further probing revealed two specific issues: first, the code was told to copy twice the intended data, causing an overflow, and second, it started copying from the wrong memory spot, grabbing administrative data instead of the actual contents. This type of memory corruption is very dangerous because, with the right trick, an attacker could hijack the program’s normal flow and potentially execute arbitrary code.

The vulnerable code was introduced on April 7, 2025, and remained in multiple versions, including Firefox 143 through early 145 and ESR versions before 140.5. It is worth noting that even a test designed for this code path failed to catch the issue.

The problematic code (Source: AISLE)

****Quick Discovery and Fix****

The flaw, as per AISLE’s blog post, was discovered on October 2, 2025. The company’s researcher, Igor Morgenstern, immediately reported the issue to the Mozilla security team. Their response was fast; the team confirmed the problem on October 14, 2025. Mozilla’s Yury Delendik then developed the fix and put the changes in place the very next day. This rapid response led to a public patch release on November 11, 2025.

The vulnerability was rated as High severity (CVSS score 7.5). To exploit it, an attacker would need a user to visit a malicious webpage at a very specific moment, such as when the browser is dealing with high memory pressure.

The flaw affected all platforms, including Windows, macOS, Linux, and Android, but older versions like Firefox ESR 115 and all versions prior to 143 were not vulnerable.

Fortunately, the fix is now available in Firefox 145 and Firefox ESR 140.5 and later. Major Linux systems (like Ubuntu, Debian, and Fedora) rapidly incorporated this update, with Arch Linux updating within 24 hours of release. Users are strongly advised to update their Firefox browser immediately to the latest version to ensure they are protected.

Mozilla Foundation’s security advisory on this is available here: