High severity8.8NVD Advisory· Published May 17, 2025· Updated Apr 13, 2026
CVE-2025-4919
CVE-2025-4919
Description
An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
37cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 3 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <138.0.4
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.23.1
- (no CPE)range: = 128.10.1, = 115.23.1
- (no CPE)range: = 138.0.4
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <128.10.2
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: >=138.0,<138.0.2
- (no CPE)range: = 128.10.2, = 138.0.2
- osv-coords30 versionspkg:apk/chainguard/firefoxpkg:apk/chainguard/firefox-esrpkg:apk/wolfi/firefoxpkg:rpm/almalinux/firefoxpkg:rpm/almalinux/firefox-x11pkg:rpm/almalinux/thunderbirdpkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweedpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP7
< 128.10.1-r0+ 29 more
- (no CPE)range: < 128.10.1-r0
- (no CPE)range: < 115.23.1-r0
- (no CPE)range: < 128.10.1-r0
- (no CPE)range: < 128.10.1-1.el9_6.alma.1
- (no CPE)range: < 128.10.1-1.el9_6.alma.1
- (no CPE)range: < 128.11.0-1.el9_6.alma.1
- (no CPE)range: < 128.10.1-1.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 138.0.4-1.1
- (no CPE)range: < 128.10.2-150200.8.218.1
- (no CPE)range: < 128.10.2-1.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-112.259.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-150200.152.182.1
- (no CPE)range: < 128.10.1-112.259.1
- (no CPE)range: < 128.10.2-150200.8.218.1
- (no CPE)range: < 128.10.2-150200.8.218.1
- (no CPE)range: < 128.10.2-150200.8.218.1
- (no CPE)range: < 128.10.2-150200.8.218.1
Patches
Vulnerability mechanics
References
8- www.mozilla.org/security/advisories/mfsa2025-36/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-37/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-38/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-40/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-41/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
- lists.debian.org/debian-lts-announce/2025/05/msg00024.htmlnvd
- lists.debian.org/debian-lts-announce/2025/05/msg00046.htmlnvd
News mentions
0No linked articles in our index yet.