Mozilla has fixed a security bug in its Firefox for Windows browser that was “being exploited in the wild.”
In a brief update, Mozilla said it updated the browser to Firefox version 136.0.4 after identifying and fixing the new bug, tracked as CVE-2025-2857, which presents a “similar pattern” to a bug that Google patched in its Chrome browserearlier this week.
Anyone exploiting the bug could escape Firefox’s sandbox, which limits the browser’s access to other apps and data on the user’s computer.
The bug also affects other browsers with the same codebase as Firefox for Windows, such as the Tor Browser, which also received a patch updating the browser to 14.0.7.
Kaspersky researcher Boris Larin, who first discovered the Chrome zero-day, confirmed in a post that the root cause of the Chrome bug also affects Firefox. Kaspersky previously linked the use of the exploits to attacks on journalists, employees of educational institutions, and government organizations in Russia.
