Mozilla Acts Swiftly: Firefox 138.0.4 Released to Plug Critical Pwn2Own Exploits

Mozilla’s Firefox browser has demonstrated remarkable responsiveness in addressing critical security vulnerabilities discovered during the recent Pwn2Own Berlin 2025 event. On May 18, 2025, Mozilla releasedFirefox version 138.0.4, a critical security update addressing two severe vulnerabilities that were successfully exploited during the competition just days earlier.

The Vulnerabilities and Response

Security researchers at Pwn2Own Berlin 2025 successfully demonstrated two content-process exploits against Firefox on May 16, as reported by Mozilla’s security blog. These zero-day vulnerabilities were among 20 unique flaws discovered during the second day of the competition, which collectively resulted in $435,000 in awards to participating researchers, according to Hackread.

The exploits are classified as “critical” in severity, suggesting they could potentially allow attackers to execute arbitrary code or gain privileged access to affected systems. What makes this security response noteworthy is the speed of Mozilla’s reaction—releasing a patched version within approximately 48 hours of the public demonstrations.

Affected Versions and Update Details

The security update isn’t limited to Firefox’s standard release channel. Mozilla has simultaneously released patches for:

• Firefox Stable: Updated to version 138.0.4
• Firefox 115 ESR: Updated to version 115.23.1

This comprehensive approach ensures that both regular users and organizations relying on the Extended Support Release (ESR) versions are protected. As Ghacks notes, Mozilla currently maintains two ESR branches—one supporting older operating systems like Windows 7 and another for current platforms such as Windows 10 and 11.

Mozilla’s Security Track Record

This rapid response isn’t unprecedented for Mozilla. In April 2024, the organization highlighted its ability to fix an exploit discovered at a previous Pwn2Own event in less than 21 hours. This demonstrates Mozilla’s ongoing commitment to security and its well-established processes for quickly addressing critical vulnerabilities.

The Firefox 138.0.4 update continues a pattern of regular security improvements. Earlier this year, in April 2025, Mozilla released Firefox 137 with multiple security fixes described in their security advisory MFSA2025-20, which addressed several high-impact vulnerabilities.

Implications for Users

For end users, the immediate concern is ensuring their browsers are updated to the patched version. While Firefox typically installs updates automatically, users can expedite the process by navigating to Menu > Help > About Firefox, which triggers an immediate check for updates.

Security experts emphasize the importance of prompt updates in this case. Once vulnerabilities are publicly demonstrated at events like Pwn2Own, there’s an elevated risk that malicious actors will attempt to reverse-engineer and weaponize the exploits for attacks against unpatched systems.

The Broader Security Landscape

The Pwn2Own Berlin 2025 event highlighted vulnerabilities across multiple platforms beyond Firefox. Windows 11, VMware, and Microsoft SharePoint were among other significant targets successfully exploited during the competition.

These events serve an important role in the security ecosystem. By incentivizing researchers to discover and responsibly disclose vulnerabilities, they help vendors identify and fix issues before they can be widely exploited in the wild. Mozilla’s rapid response exemplifies how this system ideally functions—with prompt patches following responsible disclosure.

For Firefox users, this update represents another example of Mozilla’s commitment to security. The organization’s ability to quickly address critical flaws demonstrates the advantages of its open-source development model and dedicated security team in protecting millions of users worldwide.