Mozilla Engineers and Security Researcher Manfred Paul Demonstrate Firefox Zero-Day Exploits at Pwn2Own Berlin 2025

The video documents Mozilla engineers and security researcher Manfred Paul at Pwn2Own Berlin 2025, where two Firefox zero-day exploits were demonstrated. On day one, an out-of-bounds write in the Promise.allSettled function led to remote code execution, with Mozilla confirming the vulnerability dated back roughly six years and deploying an initial patch within hours. Manfred Paul, a former Master of Pwn winner, disclosed a second exploit on day two—a JIT optimization bug in Firefox’s TryEliminateBoundsCheck function—abusing 32-bit integer truncation via bitwise OR operations to bypass bounds checks and achieve arbitrary memory access. The exploit, sold for $50,000, was executed by visiting a malicious webpage, launching the calculator as proof of code execution. Mozilla’s response involved immediate disclosure, bisection to trace the bug’s origin, and a rapid patching process, though full QA testing delayed the public release. Paul’s research relied on manual code analysis rather than fuzzing, leveraging mathematical reasoning to identify flawed optimizations in the JavaScript engine’s bounds check elimination logic. The video highlights the competitive and collaborative dynamics of Pwn2Own, where exploits are disclosed privately to vendors under a 90-day patch timeline, though Mozilla typically resolves issues within 48 hours.