Google and Mozilla Patch Critical Browser Exploits in Chrome 135 and Firefox 137
Chrome 135 and Firefox 137 shipped this week with patches for over 20 security flaws, including high-severity memory exploits that could enable remote code execution. Despite no public evidence of active exploitation, the nature of these bugs makes delayed updates a security risk.
On Tuesday, Google and Mozilla released Chrome 135 and Firefox 137 to their respective stable channels, each addressing high-severity vulnerabilities that could compromise user systems. Chrome 135 includes 14 total patches, nine from external researchers, with the standout flaw CVE-2025-3066 identified as a use-after-free bug in Navigations. These types of flaws allow attackers to execute arbitrary code after memory has been released but not cleared. Google has not disclosed the bounty paid for this vulnerability, a red flag considering it’s the most dangerous in this batch.
While Google confirmed $18,000 in rewards for this round, that figure only covers the disclosed payouts, with $10,000 going to Philipp Beer (TU Wien) for a Custom Tabs implementation flaw. The remaining amount remains hidden, likely due to negotiations or strategic ambiguity.
The rest of Chrome’s update includes: ➣ 3 medium-severity bugs tied to poor implementations in Custom Tabs, Intents, and Extensions
➣ 1 medium-severity bug involving unvalidated input in Extensions
➣ 4 low-severity issues, including flawed implementations in Autofill and Downloads
Chrome 135.0.7049.52 is now live for Linux, and 135.0.7049.41/42 for Windows and macOS.
Firefox 137 patched 8 vulnerabilities, three of which rank as high severity. Notably, CVE-2025-3028 targets XSLTProcessor with another use-after-free flaw. Two additional memory safety issues CVE-2025-3030 and CVE-2025-3034 could enable attackers to trigger code execution by manipulating how Firefox handles memory.
Other Firefox fixes included: ➣ Information disclosure bugs
➣ URL spoofing techniques
➣ Arbitrary file uploads via .url shortcut abuse on Windows systems
Alongside Firefox 137, Mozilla also issued updates for Firefox ESR 128.9, ESR 115.22, Thunderbird 137, and Thunderbird ESR 128.9, all bundling similar patches.
As usual, both companies are silent on whether any of these vulnerabilities have been exploited in the wild. The absence of proof is not evidence of safety. Zero-days often go undetected until it's too late. Browser updates should be treated as mandatory system hygiene.
For more on use-after-free exploits and memory safety concerns, see MITRE’s advisory on CVE-2025-3066 and Mozilla’s security advisory archive.
These flaws directly threaten system integrity. Anyone still running outdated browsers is effectively volunteering to be the next soft target.
