CVE-2025-4918: 
NixOS vulnerability analysis and mitigation

CVE-2025-4918 is a critical security vulnerability discovered in Mozilla Firefox that allows attackers to perform an out-of-bounds read or write operation on a JavaScript Promise object. The vulnerability was identified on May 17, 2025, and affects Firefox versions < 138.0.4, Firefox ESR < 128.10.1, Firefox ESR < 115.23.1, Thunderbird < 128.10.2, and Thunderbird < 138.0.2. The flaw was discovered by Edouard Bochin and Tao Yan from Palo Alto Networks working with Trend Micro's Zero Day Initiative (Mozilla Advisory, NVD).

The vulnerability is classified as an out-of-bounds read (CWE-125) vulnerability that allows unauthorized access to memory locations. It received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

The vulnerability enables attackers to perform unauthorized read or write operations on JavaScript Promise objects, potentially leading to information disclosure or memory corruption. However, Mozilla has noted that the attacks were unable to break out of their sandbox, which is required to gain control over the user's system (Hacker News).

Mozilla has released security updates to address this vulnerability. Users and administrators are advised to update their Firefox installations to version 138.0.4, Firefox ESR to version 128.10.1 or 115.23.1, and Thunderbird to version 128.10.2 or 138.0.2 as soon as possible (Mozilla Advisory, Hacker News).