CVE-2024-10464 – This vulnerability allows attackers to cause br... (How to Fix)

Q: How do I fix CVE-2024-10464?

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart application when prompted.

Q: What is the severity of CVE-2024-10464?

CVE-2024-10464 has a CVSS score of 6.5 (MEDIUM). This vulnerability allows attackers to cause browser denial-of-service by repeatedly writing to history interface attributes. It affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. The issue was resolved by implementing rate-limiting on the affected API.

📋 TL;DR

This vulnerability allows attackers to cause browser denial-of-service by repeatedly writing to history interface attributes. It affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. The issue was resolved by implementing rate-limiting on the affected API.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, Thunderbird < 132

Operating Systems: All platforms supported by affected applications

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable; no special settings required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete browser crash or unresponsiveness, potentially disrupting user workflows and causing data loss in unsaved sessions.

🟠

Likely Case

Browser becomes temporarily unresponsive or crashes, requiring restart and losing active tabs/sessions.

🟢

If Mitigated

Minimal impact with proper patching; rate-limiting prevents exploitation while maintaining functionality.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious content but can be triggered via web pages.

🏢 Internal Only: LOW - Primarily affects individual user browsers rather than server infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user to visit malicious webpage but no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 132+, Firefox ESR 128.4+, Thunderbird 128.4+, Thunderbird 132+

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-55/

Restart Required: Yes

Instructions:

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update check and installation. 4. Restart application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution, which would be required to trigger the vulnerability.

Use Content Security Policy

all

Implement CSP headers to restrict script execution from untrusted sources.

🧯 If You Can't Patch

Use alternative browsers/email clients until patching possible.
Implement network filtering to block known malicious domains hosting exploit code.

🔍 How to Verify

Check if Vulnerable:

Check application version against affected ranges: Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, Thunderbird < 132.

Check Version:

Firefox/Thunderbird: Help > About Firefox/Thunderbird

Verify Fix Applied:

Confirm application version is at or above patched versions: Firefox ≥ 132, Firefox ESR ≥ 128.4, Thunderbird ≥ 128.4 or ≥ 132.

📡 Detection & Monitoring

Log Indicators:

Multiple rapid writes to history API in short timeframe
Browser crash logs with history-related stack traces

Network Indicators:

Requests to domains hosting known exploit code for this CVE

SIEM Query:

source="browser_logs" AND (event="history_api_abuse" OR event="browser_crash" AND reason="history_interface")

📊 Metadata

CVE ID: CVE-2024-10464

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: October 29, 2024

Last Updated: November 3, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1913000 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2024-55/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-56/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-58/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-59/ Vendor Advisory
https://lists.debian.org/debian-lts-announce/2024/10/msg00034.html
https://lists.debian.org/debian-lts-announce/2024/11/msg00001.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10464, you might also want to check these: