Mozilla revealed the bugs it found in Firefox thanks to Claude Mythos, Anthropic’s AI

Mozilla has just opened the curtain on something that has been happening in silence for monthsand the story is as impressive as it is disturbing. The organization behind Firefox decided to publish a sample of the bug reports that an artificial intelligence detected in your browser, and the results completely change the way we think about the security of the tool.

It is about Claude Mythos preview, Anthropic’s most advanced modeldesigned specifically for high-level cybersecurity tasks. In a few weeks, this AI identified 271 vulnerabilities in Firefox 148most of which were already fixed with the release of Firefox 150. To put that number in context, in all of 2025 Mozilla had managed a fraction of that number of critical bugs. This is not an incremental improvement, it is a leap of another magnitude.

More than 10 vulnerabilities exposed in detail: what the AI ​​found

The most striking thing about the announcement is not only the number of bugs, but the complexity of those that Mozilla decided to reveal publicly. The organization published a table with more than 10 specific vulnerabilitieseach with its detailed technical description, to demonstrate that these findings are not noise generated by AI, but rather real and exploitable problems.

Some examples leave you speechless. One of the bugs had 15 years hidden in HTML element

activated only by very precisely combining recursion limits, expando properties, and garbage collection cycles. Another involved an XSLT bug with 20 years old in which reentrant calls to a hash table function freed memory while an active pointer was still in use.

There is more. The AI ​​also detected an exploitable race condition via IPC that allowed a compromised process to manipulate reference counters in the parent process’s IndexedDB, achieving a sandbox toddlethat layer of protection that isolates the rendering processes from the operating system. And it found a 16-bit integer overflow in HTML tables with rowspan=0 that had gone undetected for years even against automated fuzzing tools.

Of the 271 confirmed vulnerabilities in Firefox 150, 180 were classified as high severity, 80 as moderate and 11 as low severity.. That means the vast majority represented real threats that could be triggered by a completely popular user behavior, such as simply browsing to a web page.

How Mozilla built an AI security pipeline

The process was not as simple as giving the AI ​​access to the source code and waiting for results. Mozilla built an entire automated analysis infrastructure supported by its existing fuzzing system, with multiple virtual machines working in parallel, each analyzing specific parts of the Firefox code.

It all started months before with Claude Opus 4.6, a previous Anthropic model, which in just two weeks I had already found 22 vulnerabilities in Firefox with 14 classified as high severity. It took just minutes for the model to detect the first critical bug, and while the engineers were validating that finding, the AI ​​had already found fifty more bugs.

When Claude Mythos Preview came on the scene, the pipeline was already in place and the results multiplied. The system not only identified problems, but also generated reproducible test cases that engineers could run directly to check each bug. This eliminated one of the biggest historical obstacles in this type of audits, which is the large number of false positives that consume time and resources.

More than 100 Mozilla people contributed code to correct all these vulnerabilities, in what has been described internally as a long-term effort with days of intense work. The fixes were not all released in Firefox 150, but were also distributed in versions such as 149.0.2, 150.0.1, and 150.0.2.

Tool security will never be the same

Mozilla is direct in its assessment, and it’s worth taking seriously. According to the organization, “Defenders have a chance to win” for the first time in a long time, because AI greatly lowers the cost of finding vulnerabilities before attackers do.

The logic is easy but powerful. Historically, Finding a single critical bug could cost an elite researcher months of work.. A motivated attacker could invest that time and money because the know-how prize is great. Now, tools like Claude Mythos can do that same job in days, reducing the asymmetric advantage the offensive side always had.

But not everything is optimism. Mozilla itself recognizes that these capabilities carry a risk of dual use. An AI that can find vulnerabilities to protect can also, in theory, be used to exploit them. That is why Mozilla’s call to the ecosystem is urgent and clear, any tool project should start using these tools todaybefore others do it first.

Mozilla points out that they have not yet found the bottom of all the latent bugs in Firefox, but the direction is positive. In the near future, the idea is to integrate this analysis directly into the browser’s continuous integration system, so that each code patch is automatically scanned before reaching production. Proactive security, at scale and in precise time, is no longer a laboratory dream.

Keep reading:
• Anthropic Mythos: Powell, Bessent and banks meet to analyze their threat
• Users without permission accessed Claude Mythos, the AI ​​model that Anthropic refused to release to the public
• Anthropic presents Mythos, an AI model “too dangerous for the public”