Mozilla has patched a security bug in its Firefox for Windows browser that has been “exploited in the wild.”
In a brief announcement, Mozilla said it updated the browser to Firefox 136.0.4 after it discovered and fixed a new bug, tracked as CVE-2025-2857, which presents a “similar pattern” to a bug that Google fixed in its Chrome browser earlier this week.
Anyone who exploits the bug could be forced out of the Firefox sandbox, which restricts the browser’s access to other applications and data on the user’s computer.
The bug also affects other browsers with the same code base as Firefox for Windows, such as Tor Browser, which also received a patch that updates the browser to version 14.0.7.
Kaspersky researcher Boris Larin, who was the first to discover Chrome zero-day, confirmed in a post that the root cause of the Chrome bug also affects Firefox. Earlier, Kaspersky linked the use of exploits to attacks on journalists, employees of educational institutions and government organizations in Russia.
