CVE-2024-6613 – This vulnerability in Firefox and Thunderbird i... (How to Fix)

Q: How do I fix CVE-2024-6613?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 128 or higher. 4. Restart the application when prompted.

Q: What is the severity of CVE-2024-6613?

CVE-2024-6613 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Firefox and Thunderbird involves a WebAssembly (wasm) frame iterator getting stuck in an infinite loop when processing certain wasm frames, leading to incorrect stack traces. This affects Firefox versions before 128 and Thunderbird versions before 128. The issue could cause denial of service or potentially be leveraged for other attacks.

📋 TL;DR

This vulnerability in Firefox and Thunderbird involves a WebAssembly (wasm) frame iterator getting stuck in an infinite loop when processing certain wasm frames, leading to incorrect stack traces. This affects Firefox versions before 128 and Thunderbird versions before 128. The issue could cause denial of service or potentially be leveraged for other attacks.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Thunderbird

Versions: Firefox < 128, Thunderbird < 128

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable when processing WebAssembly content.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could craft malicious wasm content to trigger the infinite loop, causing the browser or email client to hang or crash, leading to denial of service. In combination with other vulnerabilities, it might enable arbitrary code execution.

🟠

Likely Case

Most probable impact is denial of service where the application becomes unresponsive or crashes when processing specially crafted wasm content.

🟢

If Mitigated

With proper controls like updated versions, the vulnerability is eliminated. Network filtering could block malicious wasm content before it reaches the application.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires delivering malicious wasm content to the vulnerable application, which could be done via web pages or email attachments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 128, Thunderbird 128

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2024-29/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 128 or higher. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable WebAssembly

all

Disable WebAssembly execution in Firefox/Thunderbird to prevent exploitation

In Firefox/Thunderbird address bar, type 'about:config', search for 'javascript.options.wasm', set to false

Use Content Security Policy

all

Implement CSP to restrict wasm content loading

Add 'script-src' directive with appropriate restrictions in web server configuration

🧯 If You Can't Patch

Disable WebAssembly via about:config settings
Use network filtering to block wasm content from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Firefox/Thunderbird version: if version is less than 128, the system is vulnerable.

Check Version:

firefox --version (Linux) or check About Firefox in application

Verify Fix Applied:

After updating, verify version is 128 or higher and test with known safe wasm content.

📡 Detection & Monitoring

Log Indicators:

Application crash logs
High CPU usage spikes
Process hanging indicators

Network Indicators:

Unusual wasm file downloads
Suspicious web content delivery

SIEM Query:

source="firefox.log" AND ("crash" OR "hang" OR "high cpu")

📊 Metadata

CVE ID: CVE-2024-6613

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-209

Published: July 9, 2024

Last Updated: April 4, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1900523 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-29/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-32/ Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1900523 Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2024-29/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-32/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6613, you might also want to check these: