CVE-2024-1554 in Firefoxinfo

Summary

by MITRE • 02/20/2024

The `fetch()` API and navigation incorrectly shared the same cache, as the cache key did not include the optional headers `fetch()` may contain. Under the correct circumstances, an attacker may have been able to poison the local browser cache by priming it with a `fetch()` response controlled by the additional headers. Upon navigation to the same URL, the user would see the cached response instead of the expected response. This vulnerability affects Firefox < 123.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 08/12/2025

The vulnerability described in CVE-2024-1554 represents a critical cache poisoning issue within the Firefox browser's handling of the fetch API and navigation operations. This flaw stems from an improper implementation of cache key generation that fails to account for optional headers present in fetch requests. The core technical issue manifests when the browser's cache mechanism uses identical cache keys for both fetch operations and navigation requests, despite these operations potentially containing different header sets that should logically result in distinct cached responses. This misconfiguration creates a scenario where the cache becomes vulnerable to manipulation through carefully crafted header values.

The operational impact of this vulnerability extends beyond simple cache inconsistency to potentially enable sophisticated attack vectors. When an attacker successfully poisons the browser cache through a fetch request containing malicious headers, they can manipulate what content is served during subsequent navigation to the same URL. This cache poisoning attack leverages the fact that the cache key generation process does not incorporate the full set of headers that might be present in fetch operations, allowing attackers to control the cached response that will be served during navigation. The vulnerability specifically affects Firefox versions prior to 123, indicating this was a targeted issue within a particular browser release cycle.

From a cybersecurity perspective, this vulnerability aligns with CWE-352, which addresses Cross-Site Request Forgery (CSRF) conditions where cache poisoning can be leveraged to manipulate user sessions or content delivery. The attack pattern described follows ATT&CK technique T1566.001, which covers credential access through the exploitation of web application vulnerabilities that can manipulate browser state. The flaw essentially creates a persistent cache manipulation capability that could be exploited to serve malicious content, redirect users to phishing pages, or bypass security controls that rely on proper content delivery. This type of vulnerability is particularly dangerous because it operates at the browser level and can affect any website that uses fetch API calls with headers that are not properly accounted for in cache key generation.

The mitigation strategy for this vulnerability involves updating to Firefox version 123 or later, where the cache key generation has been corrected to properly include all relevant headers from fetch requests. Additionally, developers should be aware of this behavior when implementing applications that rely on fetch API operations and ensure their applications properly handle potential cache inconsistencies. Security teams should monitor for potential exploitation attempts targeting this vulnerability, particularly in environments where users may be exposed to untrusted content or where sensitive information is transmitted through fetch operations. The fix implemented in Firefox 123 demonstrates the importance of proper cache key design and the necessity of considering all variables that could affect content delivery in web applications.

Reservation

02/15/2024

Disclosure

02/20/2024

Moderation

accepted

CPE

ready

EPSS

0.00382

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!