CVE-2022-22757 in Firefox
Summary
by MITRE • 12/22/2022
Remote Agent, used in WebDriver, did not validate the Host or Origin headers. This could have allowed websites to connect back locally to the user's browser to control it. <br>*This bug only affected Firefox when WebDriver was enabled, which is not the default configuration.*. This vulnerability affects Firefox < 97.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2026
The vulnerability in question represents a critical security flaw within Firefox's Remote Agent implementation that operated through WebDriver functionality. This issue stemmed from inadequate validation of Host and Origin headers during remote agent connections, creating a significant attack surface that could be exploited by malicious websites to establish unauthorized communication channels with users' browsers. The flaw specifically manifested when WebDriver was enabled, a configuration that remained disabled by default within Firefox installations, thereby limiting the potential impact to only those users who had explicitly activated this feature.
The technical nature of this vulnerability aligns with CWE-284 Access Control Issues and specifically relates to insufficient header validation mechanisms. When WebDriver was enabled, the Remote Agent component failed to properly verify the origins of incoming connections, allowing remote websites to potentially establish local connections back to the user's browser instance. This misconfiguration created an opportunity for attackers to exploit the browser's remote control capabilities through malicious web pages that could initiate commands directly against the browser's WebDriver interface.
The operational impact of this vulnerability was particularly concerning as it could enable full browser control from remote websites without user consent or awareness. An attacker could potentially execute commands such as navigating to malicious sites, modifying browser settings, intercepting user input, or extracting sensitive information directly through the compromised WebDriver interface. This capability essentially provided a backdoor mechanism for unauthorized remote access to browser sessions, making it a significant concern for users who had enabled WebDriver functionality for legitimate automation purposes but were subsequently exposed to potential exploitation.
The vulnerability was addressed in Firefox version 97 and later releases, which implemented proper validation of Host and Origin headers within the Remote Agent component. Security researchers recommended that users disable WebDriver functionality unless absolutely necessary for development or testing purposes, as this mitigation effectively closed the attack vector while maintaining the browser's core functionality. Organizations should also consider implementing network-level controls to prevent unauthorized connections to localhost ports used by Firefox WebDriver implementations, particularly in environments where multiple users might have access to potentially malicious websites.
This vulnerability demonstrates the importance of proper input validation and access control mechanisms within browser components, particularly those designed for automation and remote interaction. The ATT&CK framework categorizes this type of issue under T1059 Command and Scripting Interpreter and T1071 Application Layer Protocol, highlighting how improper header validation can create pathways for command execution and protocol manipulation. The remediation approach focused on implementing strict header validation while maintaining backward compatibility for legitimate use cases, emphasizing the need for security controls that do not compromise functional requirements for authorized users.