Mozilla fixes 22 security flaws flagged by Anthropic's AI
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
Mozilla said Friday it fixed more than 100 bugs in Firefox discovered by Anthropic's Claude, including 22 security flaws.
Why it matters: AI models are rapidly lowering the cost of finding software vulnerabilities, surfacing serious flaws even in heavily scrutinized projects like Firefox.
Driving the news: Anthropic uncovered more than 500 previously unknown flaws across open-source projects while testing Claude Opus 4.6 last month — including 112 reports submitted to Mozilla over a two-week period.
- Anthropic also rolled out Claude Code Security, an automated code security testing tool, last month — briefly rattling cybersecurity stocks.
The big picture: The Mozilla case study illustrates how open-source maintainers may need to adapt to a future where AI dramatically increases both the volume and plausibility of incoming bug reports.
- Of the 112 total reports Anthropic submitted, Mozilla issued 22 CVEs for security-sensitive bugs, including 14 rated high severity.
- The remaining roughly 90 reports involved non-security issues such as crashes and logic errors.
What they're saying: "We chose Firefox because it's one of the most well-tested and secure open-source projects in the world," Logan Graham, head of Anthropic's frontier red team, said in a statement.
- "It's been scrutinized by security researchers for decades, fuzzed continuously, and maintained by engineers who really know what they're doing."
- "We went into this believing if Claude could find undiscovered high-severity bugs here, it would tell us something substantial about where these capabilities are heading and the urgency of the moment we are in," he added.
Threat level: Claude found security bugs — including 14 high-several flaws — in Firefox's memory storage system, access boundary conditions, security safeguards and other programs.
- It also surfaced dozens of non-security bugs, including issues that affected user experience but posed no direct security risk, Brian Grinstead, senior principal engineer at Mozilla, told Axios.
- Attackers could potentially chain such flaws together to bypass protections, corrupt data or escalate privileges.
Between the lines: Mozilla is well-resourced compared to many open-source projects, which often operate with small teams and limited security staff.
- Grinstead said Anthropic reached out a few weeks ago with the first validated security bug.
- After confirming the issue, Mozilla asked the team to direct Claude to search for more. The organization then pulled in multiple engineering teams to validate findings and write patches.
- "This is a large influx," Grinstead said. "We did mobilize as sort of an incident response to get the 100+ bugs that were filed, triaged and most of them fixed."
Reality check: Firefox included fixes for the issues in version 148, which rolled out Feb. 24.
- Grinstead added that exploiting the flaws would have required chaining them with other vulnerabilities.
- "Just because you find a single vulnerability, even a high vulnerability, it is not enough to hack Firefox," Grinstead said.
- Modern browsers rely on multiple layers of defense, meaning attackers would need to combine several weaknesses to mount a successful exploit.
What to watch: Less-resourced open-source maintainers may struggle to keep up as AI tools generate higher volumes of increasingly polished bug reports.
