Mozilla has released a patch addressing a critical security vulnerability in the Firefox web browser, which is currently being actively exploited in real-world attacks.

Identified as CVE-2024-9680, this flaw involves a use-after-free bug within Animation timelines. According to Mozilla's advisory, attackers can leverage the vulnerability to execute arbitrary code. It holds a severity rating of 9.8 out of 10 on the CVSSv3 scale, with low complexity, meaning it requires no special privileges or user actions to be exploited, making it a significant security risk.

Severe vulnerabilities in Firefox are uncommon, considering that the browser serves around 178 million users globally. This is the first time since March that Firefox has had to address a security flaw of this magnitude, and only a handful of such issues have been discovered over recent years.

The announcement triggered warnings from several national cybersecurity agencies, including the Dutch Nationaal Cyber Security Centrum, as well as the cybersecurity authorities of Canada and Italy.

The vulnerability impacts Firefox versions 131.0.2, Firefox ESR 128.3.1, and Firefox ESR 115.16.1. Users are strongly advised to update their browsers to version 131.0.2, or to 115.16.1 and 128.3.1 for Firefox ESR, to prevent potential exploitation.