Login Sign Up

CVE-2021-29991

8.1 HIGH

📋 TL;DR

Firefox and Thunderbird incorrectly accepted newline characters in HTTP/3 headers, interpreting them as separate headers. This allows attackers to perform HTTP header splitting attacks against servers using HTTP/3, potentially injecting malicious headers or bypassing security controls. Affects Firefox < 91.0.1 and Thunderbird < 91.0.1.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Thunderbird
Versions: Firefox < 91.0.1, Thunderbird < 91.0.1
Operating Systems: All platforms where Firefox/Thunderbird run
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects HTTP/3 connections. HTTP/2 and HTTP/1.1 are not vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject arbitrary HTTP headers, potentially leading to cache poisoning, session hijacking, cross-site scripting, or bypassing security filters on HTTP/3 servers.

🟠

Likely Case

Header injection leading to cache poisoning or security filter bypass on vulnerable HTTP/3 servers visited by affected browsers.

🟢

If Mitigated

Limited impact if servers properly validate headers or use HTTP/2/1.1 instead of HTTP/3.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires attacker to control HTTP response headers and victim to use affected browser with HTTP/3 enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 91.0.1, Thunderbird 91.0.1

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2021-37/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 91.0.1 or higher. 4. Restart browser when prompted.

🔧 Temporary Workarounds

Disable HTTP/3

all

Temporarily disable HTTP/3 in Firefox to prevent exploitation until patched.

about:config
Set network.http.http3.enabled to false

🧯 If You Can't Patch

  • Use alternative browsers without HTTP/3 support for accessing sensitive HTTP/3 servers.
  • Configure network/proxy to block or downgrade HTTP/3 connections to HTTP/2.

🔍 How to Verify

Check if Vulnerable:

Check browser version: Firefox/Thunderbird → Help → About. If version is below 91.0.1, it's vulnerable when using HTTP/3.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Verify version is 91.0.1 or higher in About dialog. Test HTTP/3 connections to confirm proper header handling.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP/3 header patterns with newlines in server logs
  • Multiple headers from single HTTP/3 request

Network Indicators:

  • HTTP/3 traffic with malformed headers containing newline characters

SIEM Query:

http.protocol: "HTTP/3" AND (http.headers contains "\n" OR http.headers contains "\r")

📊 Metadata

CVE ID: CVE-2021-29991
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-444
Published: November 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29991, you might also want to check these:

CVE-2022-22536 10.0

CVE-2022-22536 is a critical HTTP request smuggling vulnerability in multiple SAP components that al...

Same vulnerability type (CWE-444)
CVE-2025-55315 9.9

CVE-2025-55315 is an HTTP request smuggling vulnerability in ASP.NET Core that allows an authenticat...

Same vulnerability type (CWE-444)
CVE-2023-29141 9.8

This vulnerability in MediaWiki allows attackers to trigger automatic IP blocking by manipulating th...

Same vulnerability type (CWE-444)