Mozilla and Anthropic Red Team Discover 22 CVEs in Firefox via AI-Assisted Vulnerability Detection

Mozilla has patched 22 CVEs in Firefox 148 after Anthropic's Frontier Red Team used Claude to identify more than a dozen verifiable security bugs in the browser's JavaScript engine, with reproducible minimal test cases, following a coordinated collaboration with Firefox engineers. In total, 14 high-severity bugs and 22 security-sensitive CVEs were found and fixed, alongside 90 additional lower-severity issues — including logic error classes that traditional fuzzing techniques had not previously uncovered. The collaboration signals that large-scale AI-assisted code analysis is becoming a practical addition to the security toolkit for widely deployed open-source software.

Key Takeaways

• 22 CVEs issued and 14 high-severity bugs fixed in Firefox 148 after Anthropic Frontier Red Team used Claude to analyze Firefox's JavaScript engine; all fixed before public disclosure
• AI analysis found logic error classes not previously surfaced by fuzzing; 90 additional lower-severity bugs also discovered, most now fixed — Anthropic published a technical write-up of the research
• Mozilla has begun integrating AI-assisted analysis into its internal security workflows; Anthropic chose Firefox because of its deeply scrutinized, widely deployed open-source codebase as a proving ground

Original source: Mozilla Blog