A serious memory corruption vulnerability in Firefox’s WebAssembly system remained hidden for six months, potentially allowing attackers to run arbitrary code on more than 180 million devices. The flaw, tracked as CVE-2025-13016, was discovered by security researchers at AISLE and affected Firefox versions 143 through early 145, as well as Firefox ESR versions prior to 140.5. The bug was introduced in April 2025 and managed to pass through code review and automated testing unnoticed, even though regression tests were included.

Figure 1. Vulnerability in Firefox.

The issue originated from a mistake in how Firefox copied data within WebAssembly arrays, which caused information to be written outside the intended memory area. This memory overflow corrupted nearby data and created an opportunity for attackers to take control of the browser. Making matters worse, the operation copied data from the wrong memory location, overwriting key internal information and increasing the likelihood of successful exploitation.

The weakness was located in Firefox’s WebAssembly garbage collection process and could be triggered during tasks like converting character data to strings, especially when the browser was experiencing memory pressure. Attackers could artificially create such conditions, turning the flaw into a realistic method for remote code execution or sandbox escape, particularly against high-value systems. Figure 1 shows Vulnerability in Firefox.

Once AISLE reported the vulnerability, Mozilla acted quickly: the issue was discovered on October 2, verified by mid-October, and patched on October 15. The fix ensured that memory was accessed and copied safely, preventing future overflows. Mozilla’s security tools later confirmed that the vulnerability was exploitable in real-world conditions.

Users are urged to upgrade immediately to Firefox 145 or Firefox ESR 140.5 or later, as earlier releases remain exposed.

Reference:

1. https://cyberinsider.com/dangerous-firefox-webassembly-bug-went-undetected-for-6-months/

Cite this article:

Keerthana S (2025), A Critical Web assembly Vulnerability in Firefox Remained Unnoticed for Six Months, AnaTechMaz, pp,245