Critical Firefox WebAssembly Flaw Exposed 180 Million Users

A critical yet subtle security flaw within Firefox's WebAssembly implementation remained undetected for six months, bypassing a specific test created by Mozilla. This vulnerability exposed over 180 million users to significant risk.

Tracked as CVE-2025-13016 and assigned a 'high' CVSS severity score of 7.5 out of 10, the flaw resided in a single line of template code. Successful exploitation could have enabled attackers to execute arbitrary code on affected systems.

Stanislav Fort, founder and chief scientist at cybersecurity startup Aisle, noted the profound disparity between the bug's subtlety and its potential impact. Aisle, which emerged from stealth in mid-October with its AI-driven cyber reasoning system, highlighted that "The vulnerable code passed code review, included a test specifically designed to exercise the same code path, and shipped in multiple Firefox releases."

In a report about the flaw, Fort explained that the stack buffer overflow stemmed from a "subtle pointer arithmetic error in Firefox’s WebAssembly implementation [that] silently wrote past stack buffers in hundreds of millions of browsers worldwide." He further characterized it as "particularly insidious" because it evaded a regression test Mozilla had implemented alongside the vulnerable code in April.

The vulnerability remained undiscovered until Aisle’s autonomous analyzer identified it on October 2. Fort elaborated, stating, "It took Aisle’s autonomous analyzer to identify what human reviewers and conventional testing missed: a memory safety violation hiding in plain sight within Firefox’s WebAssembly garbage collection logic." He clarified that garbage collection is a process designed to automatically reclaim unused computer memory.

The Overflow Mechanism

The vulnerability was located within Firefox’s StableWasmArrayObjectElements template class, specifically in the logic governing the copying of inline WebAssembly array data. A mismatch in pointer types within this class caused twice the intended amount of data to be written, resulting in an overflow. Compounding the issue, the copying process initiated from an incorrect storage area.

Fort detailed the exploitability: "The bug becomes exploitable when Firefox’s WebAssembly engine needs to create a stable copy of inline array data during garbage collection. The vulnerability could be triggered through WebAssembly code that creates arrays with specific element types and counts, then invokes string conversion operations under memory pressure conditions." He further explained that "when the fast-path NoGC allocation fails, Firefox’s fallback mechanism activates the vulnerable code path. With properly sized arrays, the overflow writes past the stack-allocated vector’s capacity."

Rapid Resolution

Following Aisle’s timeline, on the very day its autonomous analyzer detected the flaw, Igor Morgenstern, a senior researcher at the startup, reported the issue to Mozilla. Within two weeks, Mozilla’s security team confirmed the vulnerability and released a fix.

Fort stated, "Mozilla’s Yury Delendik [a software engineer at Mozilla] implemented, after our responsible disclosure, a straightforward fix that addresses both issues. The corrected code properly handles type conversions and uses the correct data pointer." The flaw had significant reach, affecting all Firefox versions from 143 to early 145, and Firefox ESR (Extended Support Release) versions prior to 140.5, which collectively account for over 180 million monthly active users, according to Fort.

A Call for a 'Complete Reset' in Security

Aisle, headquartered in San Francisco and Prague, Czech Republic, publicly launched on October 16. Its executives contend that the escalating backlog of known vulnerabilities, the rapid pace at which threat actors exploit security flaws, and the increasing offensive use of AI necessitate a fundamental shift in software protection strategies.

In a blog post announcing the company, founder and CEO Ondrej Vlcek highlighted that over 40,000 software vulnerabilities were discovered last year, noting, "each one represents potential exposure, and every day the list grows longer. And even the critical ones take organizations on average 45 days to fix. Meanwhile, attackers only need five days to exploit them."

Vlcek asserted, "This moment calls for a complete reset in how we think about security. The old model of scan, prioritize, patch will not scale when organizations already face a backlog of hundreds of thousands of vulnerabilities, and are faced with AI used for offensive purposes. Security teams are locked into a never-ending cycle of remediation that just isn’t hitting the mark anymore." He further explained that Aisle’s Cyber Reasoning System leverages AI to discover zero-day flaws, automatically remediate them, and verify each fix before deployment, aiming to eliminate the vulnerability backlog entirely.