Mozilla has released Firefox 136.0.4 to fix a critical security vulnerability that allows attackers to bypass the browser’s sandbox protections on Windows.
The flaw, tracked as CVE-2025-2857, was discovered by Mozilla developer Andrew McCreight and involves an incorrect handle that could enable sandbox escapes. It affects both the standard and extended support release (ESR) versions of Firefox, which are widely used by organizations requiring long-term support. The issue has been addressed in Firefox 136.0.4 and ESR versions 115.21.1 and 128.8.1.
Mozilla did not share full technical details but acknowledged that the vulnerability stems from a flaw in the browser’s IPC code, which allowed attackers to manipulate the parent process into leaking handles into unprivileged child processes, ultimately leading to a sandbox escape. The company confirmed that this issue only affects Windows users, while macOS and Linux remain unaffected.
This incident follows a series of security concerns for Firefox. In October 2024, Mozilla patched a zero-day vulnerability (CVE-2024-9680) that was actively exploited by the RomCom cybercrime group, a Russian-based hacking operation. The vulnerability, combined with a Windows privilege escalation exploit (CVE-2024-49039), allowed attackers to execute malicious code outside of Firefox’s sandbox. Victims were tricked into visiting attacker-controlled websites that downloaded and executed malware on their systems.
Earlier in the year, Mozilla also had to patch two Firefox zero-day vulnerabilities immediately after they were exploited at the Pwn2Own Vancouver 2024 hacking competition. These incidents highlight the ongoing challenges in browser security as cybercriminals continue to target vulnerabilities to gain unauthorized access to systems.
Windows users are strongly advised to update to Firefox 136.0.4 or the latest ESR release as soon as possible to protect against potential attacks. The update can be applied by going to Settings > Help > About Firefox, which will prompt the browser to update automatically. Keeping software up to date remains one of the most effective ways to defend against security threats.
