Claude Found a Fifth of Firefox's 2025 High-Severity Bugs in 2 Weeks
Anthropic's Claude Opus 4.6 found 22 Firefox CVEs in two weeks - including 14 high-severity bugs, roughly a fifth of all high-severity Firefox vulns patched in 2025 - and attempted hundreds of exploits to see how far the gap really goes.
Updated
7 min read
Anthropic's frontier model just outpaced human security researchers on one of the world's most scrutinized codebases. In two weeks of collaborative work with Mozilla, Claude Opus 4.6 found 22 Firefox security vulnerabilities - including 14 rated high-severity, roughly a fifth of all high-severity Firefox vulnerabilities patched in 2025.
TL;DR
- Claude Opus 4.6 scanned ~6,000 Firefox C++ files and submitted 112 bug reports
- 22 CVEs issued, 14 rated high-severity - roughly a fifth of all high-severity Firefox vulns patched in 2025
- Mozilla shipped fixes to hundreds of millions of users in Firefox 148
- Claude succeeded at exploit creation in only 2 of several hundred attempts
- Anthropic warns the detection-exploitation gap "will not last very long"
The partnership, announced jointly by Anthropic and Mozilla today, is one of the most detailed public accounts of a frontier model being used for serious, production-scale vulnerability research. It's also a rare case of a lab disclosing not just what the model found, but what it failed to do - and why that failure matters.
| Method | Coverage | Speed | Novel findings |
|---|---|---|---|
| Traditional fuzzing | High volume, known patterns | Continuous, automated | Low - misses logic errors |
| Static analysis | Rule-based, broad | Fast | Medium - high false positives |
| Human researchers | Deep, contextual | Slow | High - expensive at scale |
| Claude Opus 4.6 | Reasoning-based, 6k+ files | Two weeks | High - caught what fuzzing missed |
How Anthropic Did It
Scanning nearly 6,000 C++ files
The methodology Anthropic used wasn't a specialty tool. Claude operated with standard system utilities - coreutils, Python, debuggers - inside a simulated environment, with no task-specific scaffolding or custom prompting. Researchers pointed it at Firefox's JavaScript engine first, then expanded to other browser components.
After just twenty minutes of initial exploration, the model identified a use-after-free vulnerability in the JavaScript engine - a class of memory corruption bug that human fuzzers routinely miss because they require reasoning about object lifetimes across multiple code paths, not just input mutation.
In total, Claude scanned nearly 6,000 C++ files and submitted 112 unique bug reports. Mozilla's security team said the reports came with minimal test cases that let engineers "quickly verify and reproduce each issue" - a notable contrast to the AI-created spam that has increasingly plagued other open source maintainers.
Beyond fuzzing - reasoning about code
The key technical distinction Mozilla's engineers called out is that Claude found logic errors, not just the assertion failures that traditional fuzzing surfaces. Fuzzing works by flooding software with mutated inputs and watching for crashes. It's effective at finding memory bounds violations but structurally blind to semantic bugs - cases where code does exactly what it was written to do, and that's the problem.
Claude, per Mozilla's security team, approached the codebase the way a human researcher would: looking at past vulnerability fixes to find related bugs that were not fully addressed, spotting patterns in how objects interact, and reasoning about what inputs would break the underlying logic. That's a qualitatively different capability than any existing automated tool - and it produced 14 high-severity findings that had survived years of continuous fuzzing, static analysis, and expert code review.
22 Firefox CVEs - including 14 rated high-severity - were patched in Firefox 148, shipped to hundreds of millions of users.
What Claude Discovered
22 CVEs, 14 high-severity
Of the 112 reports Anthropic submitted, Mozilla issued 22 CVEs covering security-sensitive bugs. 14 were rated high severity. The blog post from Mozilla's security team - written by Brian Grinstead and Christian Holler - notes that the 14 high-severity findings represent roughly a fifth of all high-severity vulnerabilities patched in Firefox across 2025 - discovered in just two weeks of scanning.
Most fixes shipped with Firefox 148, released in late February 2026. The remainder are scheduled for upcoming releases. The fixes reached hundreds of millions of Firefox users without public disclosure of the vulnerabilities during the remediation window - something both organizations treated as a precondition for responsible publication of the research.
Beyond the 22 CVEs, Claude flagged 90 additional bugs with no direct security impact. Most of those have been fixed as well. Mozilla says it has begun integrating AI-assisted analysis into its own internal security workflows as a result.
500+ vulnerabilities across open source
The Firefox collaboration isn't an isolated experiment. Anthropic's Frontier Red Team - about 15 researchers whose job is to probe Claude for misuse potential - has been running Claude against open-source codebases for months. The cumulative count now beats 500 validated high-severity vulnerabilities across production software.
The team deliberately targeted volunteer-maintained open source projects that lack dedicated security teams, because that software "runs everywhere - from enterprise systems to critical infrastructure." Some of the bugs Claude found had been sitting in those codebases for decades, undetected despite millions of CPU-hours of prior fuzzing.
This is the part that should concern anyone responsible for running open-source software in production. As we explored in our guide to AI safety and alignment, the dual-use tension in capable AI systems doesn't resolve itself - it sharpens as models improve.
The Exploitation Question
2 working exploits from hundreds of attempts
Finding a vulnerability and turning it into a working exploit are different problems. Anthropic measured both. Running several hundred exploit-generation attempts at roughly $4,000 in API costs, Claude succeeded in creating functioning exploits in exactly two cases.
That is a low success rate by any measure. But the framing matters: both working exploits functioned only in testing environments that lacked modern browser security features. In production Firefox, with sandboxing, process isolation, and the full defense-in-depth stack in place, the same exploits wouldn't have been viable.
Modern browser architecture - layered sandboxing, process isolation, and memory protections - blunted Claude's exploitation attempts in production environments.
Defense in depth holds - for now
Mozilla's engineers were direct about what this means. The exploit failures weren't because Claude couldn't reason about the vulnerability - they were because Firefox's architecture provided layers of mitigation that raised the bar beyond what the model could clear. Fixing sandbox bugs matters because it removes one rung in a potential exploit chain, even if the chain itself remains incomplete.
Anthropic's own language in the disclosure is standout. The company did not say Claude can't exploit vulnerabilities. It said the gap between discovery capability and exploitation capability "is unlikely to last very long" as models improve. That is a warning dressed as a finding.
What It Does Not Tell You
Scope was narrow. Claude scanned C++ and the JavaScript engine. Firefox's attack surface includes its networking stack, renderer, extension system, and a lot of JavaScript. The 22 CVEs likely undercount what a longer, wider scan would produce.
The cost of discovery isn't disclosed. Anthropic published the ~$4,000 API cost for exploit attempts. The cost of the discovery phase - the 112 reports from 6,000 files - goes unmentioned. That number matters for anyone trying to copy this work or budget AI-assisted security reviews. Our best AI code review tools roundup covers some of the commercial options emerging in this space.
This was a cooperative engagement. Mozilla knew Anthropic was scanning. The researchers confirmed every bug before reporting. An adversary using the same model would skip the validation step - and skip the responsible disclosure. The question isn't whether this capability is available, but whether defenders can access and deploy it faster than attackers.
Who gets this capability? Anthropic's Frontier Red Team ran this project. The team has roughly 15 people. Scaling this to the millions of open-source packages that need it requires either a dramatic change in Anthropic's business model or significant investment in tooling that makes this accessible to maintainers who can't afford $4,000 in API credits for security research.
Twenty-two CVEs in two weeks is a remarkable result. It is also, by Anthropic's own account, probably an undercount of what Claude can find given more time, a wider codebase, and a less conservative methodology. The more important number is the one buried in the exploitation section: two working exploits out of hundreds. That gap is real today. Anthropic is telling you it won't be real indefinitely. The question is whether the security community can use this window - Firefox 148 shipped to hundreds of millions of users with those 14 high-severity bugs fixed - to build the infrastructure that makes AI-assisted defense systematic rather than exceptional.
Sources:
Last updated
