Login Sign Up

CVE-2024-8381

9.8 CRITICAL

📋 TL;DR

This vulnerability allows attackers to trigger type confusion when accessing properties on objects used as 'with' statement environments in Mozilla products. Successful exploitation could lead to arbitrary code execution or browser crashes. Affected users include anyone running vulnerable versions of Firefox, Firefox ESR, or Thunderbird.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 130, Firefox ESR < 128.2, Firefox ESR < 115.15, Thunderbird < 128.2, Thunderbird < 115.15
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable; JavaScript must be enabled (default).

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or malware installation.

🟠

Likely Case

Browser crashes (denial of service) or limited memory corruption leading to sandbox escape in browser context.

🟢

If Mitigated

No impact if patched; sandboxing may limit damage but not prevent initial exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires JavaScript execution; CVSS 9.8 indicates critical severity with high attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 130, Firefox ESR 128.2, Firefox ESR 115.15, Thunderbird 128.2, Thunderbird 115.15

Vendor Advisory: https://www.mozilla.org/security/advisories/

Restart Required: Yes

Instructions:

1. Open affected application. 2. Go to Help > About Firefox/Thunderbird. 3. Allow automatic update or download from official site. 4. Restart application.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution.

Use Content Security Policy

all

Restrict script execution via CSP headers.

🧯 If You Can't Patch

  • Isolate vulnerable systems from internet access.
  • Implement application whitelisting to prevent malicious code execution.

🔍 How to Verify

Check if Vulnerable:

Check version in application: Help > About Firefox/Thunderbird.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is equal to or greater than patched versions listed.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with memory corruption errors
  • Unusual JavaScript execution patterns

Network Indicators:

  • Malicious JavaScript payloads targeting 'with' statements

SIEM Query:

source="firefox.log" AND ("crash" OR "segfault") OR source="thunderbird.log" AND "type confusion"

📊 Metadata

CVE ID: CVE-2024-8381
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: September 3, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8381, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2023-42464 9.8

A Type Confusion vulnerability in Netatalk's afpd service allows remote attackers to potentially exe...

Same vulnerability type (CWE-843)