#VU57881 Security features bypass in Mozilla Firefox and Firefox ESR

Published: 2021-11-02

Vulnerability identifier: #VU57881

Vulnerability risk: Low


CVE-ID: CVE-2021-38507


Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox ESR
Client/Desktop applications / Web browsers

Vendor: Mozilla


The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists in the Opportunistic Encryption feature of HTTP2, which allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser from port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. As a result, a remote attacker can bypass Same-Origin-Policy on services hosted on other ports.

Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 80.0 - 93.0

Firefox ESR: 91.0 - 91.2.0


External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability