CVE-2022-31736 Overview
CVE-2022-31736 is an Information Disclosure vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird. A malicious website could exploit this flaw to learn the size of cross-origin resources that support HTTP Range requests. This vulnerability stems from improper enforcement of Cross-Origin Resource Sharing (CORS) policies, classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains).
The vulnerability allows attackers to bypass same-origin policy restrictions and gather information about resources hosted on other domains. While this may seem limited in scope, knowledge of resource sizes can be leveraged for fingerprinting attacks, identifying specific files or versions of software, or as part of a larger attack chain.
Critical Impact
Attackers can probe cross-origin resources to determine file sizes, potentially enabling resource fingerprinting, user tracking, and reconnaissance for follow-up attacks.
Affected Products
- Mozilla Firefox versions prior to 101
- Mozilla Firefox ESR versions prior to 91.10
- Mozilla Thunderbird versions prior to 91.10
Discovery Timeline
- 2022-12-22 - CVE-2022-31736 published to NVD
- 2025-04-15 - Last updated in NVD database
Technical Details for CVE-2022-31736
Vulnerability Analysis
This vulnerability exploits the HTTP Range request feature, which allows clients to request specific byte ranges of a resource. When a server supports Range requests, it responds with partial content and typically includes a Content-Range header indicating the total size of the resource. The flaw in affected Mozilla products allowed malicious websites to infer the size of cross-origin resources by observing the behavior of Range request responses, even when CORS policies should have prevented such information disclosure.
The issue relates to CWE-942 (Permissive Cross-domain Policy with Untrusted Domains), indicating that the browser's cross-origin protections were insufficiently restrictive when handling Range requests. An attacker could craft JavaScript code on their malicious site to make Range requests to third-party resources and deduce their sizes based on response characteristics.
Root Cause
The root cause lies in the browser's improper handling of cross-origin Range requests. While the same-origin policy should prevent websites from accessing content from different origins, the implementation failed to adequately mask or restrict information leakage through Range request response metadata. The browser did not properly sanitize or block the side-channel information that could reveal resource sizes to unauthorized origins.
Attack Vector
The attack is network-based and requires no user interaction beyond visiting a malicious webpage. An attacker would set up a website containing JavaScript that initiates Range requests to target resources on other domains. By analyzing the responses—including timing, error codes, or partial content indicators—the attacker can determine the exact size of the cross-origin resource.
This information can be used to:
- Fingerprint specific files or application versions on target servers
- Identify whether certain sensitive resources exist
- Profile users based on resources available to them
- Gather intelligence for subsequent targeted attacks
The attack requires the target resource to support HTTP Range requests, which is common for media files, downloads, and many web applications.
Detection Methods for CVE-2022-31736
Indicators of Compromise
- Unusual patterns of HTTP Range requests originating from browser processes to multiple external domains
- JavaScript code making repeated partial content requests to third-party resources
- Network traffic showing systematic probing of Range request endpoints
- Browser logs indicating cross-origin Range requests from untrusted sites
Detection Strategies
- Monitor network traffic for suspicious patterns of Range requests to external domains, especially from unfamiliar or recently visited websites
- Implement Content Security Policy (CSP) headers to restrict which domains can be accessed from your web applications
- Deploy browser-based security extensions that can detect and block suspicious cross-origin request patterns
- Review server logs for unusual Range request patterns that may indicate reconnaissance activity
Monitoring Recommendations
- Enable detailed browser logging to capture cross-origin request attempts during security investigations
- Configure web application firewalls to alert on anomalous Range request patterns
- Implement network-level monitoring for browsers making excessive cross-origin requests
- Use endpoint detection solutions to monitor browser process behavior for signs of information gathering attacks
How to Mitigate CVE-2022-31736
Immediate Actions Required
- Update Mozilla Firefox to version 101 or later immediately
- Update Mozilla Firefox ESR to version 91.10 or later
- Update Mozilla Thunderbird to version 91.10 or later
- Enable automatic updates to ensure timely application of future security patches
- Review organizational browser deployment policies to enforce minimum version requirements
Patch Information
Mozilla has addressed this vulnerability in the following releases:
- Firefox 101 (see Mozilla Security Advisory MFSA-2022-20)
- Firefox ESR 91.10 (see Mozilla Security Advisory MFSA-2022-21)
- Thunderbird 91.10 (see Mozilla Security Advisory MFSA-2022-22)
Technical details are available in Mozilla Bug Report #1735923.
Workarounds
- Restrict browsing to trusted websites only until patches can be applied
- Implement network-level controls to block or monitor suspicious cross-origin requests
- Use browser isolation solutions to contain potential information disclosure attacks
- Deploy Content Security Policy headers on your web applications to limit cross-origin interactions
# Verify Firefox version from command line
firefox --version
# Verify Thunderbird version
thunderbird --version
# Example CSP header to restrict cross-origin requests (for web server configuration)
# Add to your web server configuration:
# Header set Content-Security-Policy "default-src 'self'; connect-src 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
