CRITICAL🇵🇱 Wersja polska

CVE-2024-1554

CVSS 9.8v3.1pub. 2024-02-20upd. 2025-04-02

The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. This vulnerability affects Firefox < 123.

🤖 AI Analysis
How it works

The cache key did not account for optional headers that a fetch() request could contain. Because of this, an attacker could prime the cache using a fetch() response modified by additional headers. When the user subsequently navigated to the same URL, the browser returned poisoned data from the cache instead of the actual server response. The mechanism results from the lack of cache key integrity verification (CWE-345 — insufficient verification of data authenticity).

Impact

An attacker can replace the content displayed to the user with any specially crafted content, which may lead to credential theft, distribution of false information, or execution of malicious JavaScript code in the context of a trusted website.

Mitigation & patch

Mozilla Firefox should be updated to version 123 or newer. Patch available through Mozilla Foundation Security Advisory mfsa2024-05.

Who is affected

Mozilla Firefox in versions earlier than 123

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 123.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...