CVE-2022-22744 in Thunderbird
Summary
by MITRE • 12/22/2022
The constructed curl command from the "Copy as curl" feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.<br>*This bug only affects Thunderbird for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/10/2026
This vulnerability represents a critical command injection flaw that emerged from the improper handling of shell escaping in browser developer tools functionality. The issue specifically manifested when users copied curl commands from the browser's developer tools and pasted them directly into PowerShell environments, creating a dangerous scenario where maliciously crafted input could be executed with elevated privileges. The vulnerability stems from the failure to properly escape special characters and command sequences that PowerShell interprets as executable instructions rather than literal arguments. This type of flaw aligns with CWE-78 which categorizes improper neutralization of special elements used in OS commands, and specifically demonstrates how developer tool features can introduce security risks when they fail to account for different shell environments.
The technical implementation of this vulnerability occurs at the intersection of web browser development tools and operating system command processing. When the "Copy as curl" feature generates commands, it creates output that appears harmless in Unix-like shells but becomes executable in PowerShell contexts due to differences in how special characters are interpreted. PowerShell's handling of ampersands, semicolons, and other command separators creates execution paths that bypass normal input validation, allowing attackers to inject arbitrary commands when the copied curl command is executed in PowerShell. This particular flaw demonstrates how cross-platform compatibility issues in developer tools can create unexpected security vectors, as the same functionality that works correctly in bash or zsh environments becomes dangerous in Windows PowerShell contexts.
The operational impact of this vulnerability is significant for users running affected versions of Firefox, Firefox ESR, and Thunderbird on Windows systems. The attack surface is limited to Windows users who utilize the browser's developer tools and subsequently paste commands into PowerShell prompts, but this represents a substantial risk in development environments where such workflows are common. Security researchers have noted that this vulnerability could be exploited in targeted attacks against developers or in phishing scenarios where attackers craft malicious curl commands that appear legitimate when copied from browser developer tools. The vulnerability's limited scope to Windows platforms means that while the exposure is significant for affected users, it does not represent a universal threat across all operating systems.
The mitigation strategies for this vulnerability involve both immediate patching and operational security improvements. Organizations should prioritize updating to the patched versions of Firefox ESR 91.5, Firefox 96, and Thunderbird 91.5 across all Windows systems. Additionally, security teams should implement awareness training for developers regarding the potential dangers of pasting copied commands into PowerShell environments without proper validation. The fix implemented by Mozilla and Mozilla Foundation involved modifying the curl command generation logic to properly escape special PowerShell characters, ensuring that generated commands remain safe when executed in Windows environments. This aligns with ATT&CK technique T1059.001 which covers command and scripting interpreter execution, specifically addressing how developers might inadvertently create attack vectors through seemingly benign tool features.
This vulnerability serves as a reminder of the complex security considerations that arise when developing cross-platform developer tools and the importance of considering shell escaping across different operating systems. The flaw demonstrates how seemingly innocuous features in browser developer tools can create security risks when they don't account for the specific command processing semantics of different operating systems. The issue also highlights the importance of proper input validation and escaping in web applications and developer tools, particularly when commands are generated programmatically and intended for execution in different shell environments. Security teams should monitor for similar vulnerabilities in other browser developer tools and ensure that all generated commands are properly sanitized for the target execution environment.