CVE-2024-7525 in Firefoxinfo

Summary

by MITRE • 08/06/2024

It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 03/15/2025

This vulnerability represents a critical privilege escalation flaw in the Firefox browser's web extension architecture that allows extensions with minimal permissions to gain unauthorized access to sensitive data across all websites. The issue stems from inadequate sandboxing and permission boundaries within the browser's extension API implementation, specifically concerning the StreamFilter functionality that should have been restricted to prevent cross-site data manipulation. The vulnerability affects multiple Firefox release channels including the standard Firefox 128 and ESR versions 115.14 and 128.1, indicating a widespread impact across the browser ecosystem.

The technical flaw resides in the improper handling of StreamFilter objects within Firefox's extension API, where extensions can create these filters without proper site isolation checks. This allows malicious or compromised extensions to intercept, read, and modify HTTP response bodies from any domain, effectively bypassing the same-origin policy and cross-site request restrictions that are fundamental to web security. The StreamFilter API was designed to enable extensions to modify network requests and responses, but the implementation failed to enforce proper security boundaries, creating a pathway for extensions to access data from sites they should not be permitted to access.

The operational impact of this vulnerability is severe as it enables attackers to perform sophisticated data exfiltration and man-in-the-middle attacks across all browsing sessions. An extension with minimal permissions could potentially intercept sensitive information such as login credentials, personal data, financial information, and confidential communications from any website visited by the user. This capability extends beyond simple data theft to enable more advanced attacks including session hijacking, credential stuffing, and the injection of malicious content into web applications. The vulnerability essentially allows a low-privilege extension to act as a global network interceptor, undermining the security model that separates different websites and protects user privacy.

The vulnerability aligns with CWE-284 (Improper Access Control) and represents a failure in the principle of least privilege within Firefox's extension security model. It also maps to ATT&CK technique T1176 (Browser Extensions) and T1566 (Phishing) as it enables extensions to become more dangerous than their declared permissions would suggest. The flaw demonstrates a critical oversight in the browser's security architecture where the extension permission system failed to properly isolate network operations, allowing a compromised extension to become a universal data interceptor. Organizations should immediately update to the patched versions of Firefox and Firefox ESR to mitigate this risk, as the vulnerability provides attackers with a persistent means of accessing sensitive data across all websites visited by affected users. The security implications extend beyond individual users to enterprise environments where browser extensions are commonly deployed, making this vulnerability particularly dangerous in corporate settings where sensitive data is frequently transmitted over networks.

Responsible

Mozilla

Reservation

08/06/2024

Disclosure

08/06/2024

Moderation

accepted

CPE

ready

EPSS

0.00564

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!