CVE-2021-29991 Overview
Firefox incorrectly accepted a newline character in HTTP/3 headers, interpreting it as two separate headers. This implementation flaw allowed attackers to perform header splitting attacks against servers using HTTP/3, potentially enabling various malicious activities including cache poisoning, session hijacking, and cross-site scripting through injected headers.
Critical Impact
This HTTP Request Smuggling vulnerability (CWE-444) allows attackers to manipulate HTTP/3 headers, potentially compromising server-side security controls and enabling downstream attacks against web applications.
Affected Products
- Mozilla Firefox versions prior to 91.0.1
- Mozilla Thunderbird versions prior to 91.0.1
Discovery Timeline
- 2021-11-03 - CVE-2021-29991 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-29991
Vulnerability Analysis
The vulnerability exists in Firefox's HTTP/3 protocol implementation, specifically in how the browser parses and validates HTTP header lines. HTTP/3, which operates over QUIC, uses a different framing mechanism than HTTP/1.x and HTTP/2. The vulnerable code path failed to properly reject newline characters (CR/LF sequences) embedded within header values.
When a malicious server or man-in-the-middle attacker sends a crafted HTTP/3 response containing a newline character within a header value, Firefox incorrectly splits this into two separate headers. This behavior violates the HTTP specification, which requires that header values be treated atomically.
The impact of this vulnerability is significant because it enables header injection attacks. An attacker could inject additional headers that the client would process as legitimate server-sent headers. This could be exploited to:
- Inject Set-Cookie headers to perform session fixation attacks
- Manipulate caching directives to poison browser caches
- Inject security-relevant headers like Content-Security-Policy to weaken security controls
- Perform cross-site scripting attacks through header injection
Root Cause
The root cause is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests), stemming from improper validation of HTTP/3 header content. The HTTP/3 header parsing logic in Firefox failed to enforce the RFC-mandated restriction that header field values must not contain newline characters. This oversight in input validation allowed the header splitting attack to succeed.
Attack Vector
This vulnerability is exploitable over the network and requires user interaction, specifically that a victim must visit a malicious website or receive content from a compromised HTTP/3 server. The attacker needs to control or intercept HTTP/3 responses to inject the malicious header content.
The attack flow involves:
- Victim initiates an HTTP/3 connection to a server controlled or compromised by the attacker
- Attacker crafts an HTTP/3 response with a header value containing embedded newline characters
- Firefox's vulnerable parser incorrectly splits the single header into multiple headers
- The injected headers are processed as legitimate, enabling subsequent attacks
For detailed technical information, refer to the Mozilla Bug Report #1724896.
Detection Methods for CVE-2021-29991
Indicators of Compromise
- Unusual HTTP/3 traffic patterns containing embedded newline sequences in header values
- Unexpected Set-Cookie headers appearing in browser sessions from untrusted domains
- Anomalous cache behavior indicating potential cache poisoning
- Signs of session hijacking or unauthorized account access correlating with HTTP/3 browsing activity
Detection Strategies
- Monitor network traffic for HTTP/3 responses containing CR/LF characters within header field values
- Implement browser version auditing to identify installations running Firefox or Thunderbird versions prior to 91.0.1
- Deploy endpoint detection and response (EDR) solutions to identify exploitation attempts
- Review web server logs for evidence of header injection or smuggling attacks originating from vulnerable clients
Monitoring Recommendations
- Enable detailed logging of HTTP/3 transactions at network perimeter devices
- Configure SentinelOne agents to monitor for known exploitation patterns and vulnerable browser versions
- Establish baseline browser version inventories and alert on outdated Mozilla product installations
- Implement application-layer protocol inspection for HTTP/3 traffic where feasible
How to Mitigate CVE-2021-29991
Immediate Actions Required
- Update Mozilla Firefox to version 91.0.1 or later immediately
- Update Mozilla Thunderbird to version 91.0.1 or later immediately
- Audit all endpoints for vulnerable browser versions and prioritize remediation
- Consider temporarily disabling HTTP/3 support in Firefox via about:config if immediate patching is not possible
Patch Information
Mozilla has released security patches addressing this vulnerability. The fix is included in Firefox 91.0.1 and Thunderbird 91.0.1. Organizations should obtain the updated versions from official Mozilla distribution channels.
For complete details, see the Mozilla Security Advisory MFSA-2021-37.
Workarounds
- Disable HTTP/3 support in Firefox by navigating to about:config and setting network.http.http3.enabled to false
- Deploy network-level controls to block or inspect HTTP/3 traffic until clients are patched
- Use enterprise browser management tools to enforce minimum browser version requirements
- Consider deploying alternative browsers while awaiting patch deployment
# Firefox HTTP/3 mitigation via user.js (user preference file)
# Add to Firefox profile directory's user.js file
user_pref("network.http.http3.enabled", false);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
