CVE-2022-31739 Overview
CVE-2022-31739 is a path traversal vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird on Windows systems. The vulnerability exists because the % character was not properly escaped when downloading files, allowing attackers to manipulate file download locations using Windows environment variables such as %HOMEPATH% or %APPDATA%. This flaw could enable attackers to save malicious files to arbitrary locations on the victim's system.
Critical Impact
Attackers can leverage unescaped environment variables in filenames to redirect downloads to sensitive system directories, potentially enabling persistence mechanisms, credential theft, or further system compromise on Windows systems.
Affected Products
- Mozilla Firefox versions prior to 101
- Mozilla Firefox ESR versions prior to 91.10
- Mozilla Thunderbird versions prior to 91.10
Discovery Timeline
- 2022-12-22 - CVE-2022-31739 published to NVD
- 2025-04-16 - Last updated in NVD database
Technical Details for CVE-2022-31739
Vulnerability Analysis
This vulnerability stems from improper input validation in the file download handling mechanism of Mozilla browsers on Windows. When a user initiates a file download, the browser processes the filename provided by the server or derived from the URL. The vulnerability occurs because special characters, specifically the percent sign (%), are not properly sanitized before being used in file system operations.
On Windows systems, the percent sign is used to denote environment variables (e.g., %APPDATA%, %HOMEPATH%, %USERPROFILE%). When these variables appear in a filename and are not escaped, the Windows operating system expands them to their actual directory paths. This behavior can be exploited by an attacker to redirect where a downloaded file is saved, potentially placing malicious content in startup directories, application data folders, or other sensitive locations.
This vulnerability is classified under CWE-73 (External Control of File Name or Path), indicating that external input can influence file system operations in an unintended manner.
Root Cause
The root cause of CVE-2022-31739 is the failure to properly escape or sanitize the percent character (%) in filenames during the download process. The download handler did not account for Windows-specific path expansion behaviors, allowing environment variable strings embedded in filenames to be interpreted and expanded by the operating system rather than being treated as literal characters.
Attack Vector
The attack requires user interaction where a victim must be enticed to download a file from a malicious website or click a specially crafted download link. The attacker can craft a filename containing Windows environment variables that, when processed by the vulnerable browser, result in the file being saved to an attacker-controlled location on the filesystem.
For example, an attacker could serve a file with a name like %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\malware.exe, which after environment variable expansion could place a malicious executable in the user's startup folder, achieving persistence on the system.
The attack mechanism involves:
- Attacker hosts a malicious file with a specially crafted filename containing % environment variable references
- Victim navigates to the malicious page and initiates or is prompted to download the file
- Firefox/Thunderbird fails to escape the % character in the filename
- Windows expands the environment variables, redirecting the file to an attacker-chosen directory
- The malicious file is saved to a sensitive location, potentially enabling code execution on next login or application launch
Detection Methods for CVE-2022-31739
Indicators of Compromise
- Unexpected files appearing in Windows startup directories (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\)
- Files with unusual names in %APPDATA%, %LOCALAPPDATA%, or %USERPROFILE% directories that correlate with recent browser activity
- Browser download history showing filenames containing percent-encoded environment variable strings
- Suspicious executable or script files in user-writable system directories
Detection Strategies
- Monitor file system activity for writes to startup folders or other sensitive directories originating from Firefox, Thunderbird, or Firefox ESR processes
- Implement endpoint detection rules to alert on files created in protected directories by browser processes
- Review browser download logs for filenames containing % followed by common environment variable names
- Deploy behavioral analysis to detect unusual file placement patterns from browser applications
Monitoring Recommendations
- Enable auditing on sensitive Windows directories such as startup folders and application data directories
- Configure SIEM rules to correlate browser process activity with file system writes to non-standard download locations
- Implement file integrity monitoring on directories commonly targeted by persistence mechanisms
- Monitor for newly created executable files in user-accessible autostart locations
How to Mitigate CVE-2022-31739
Immediate Actions Required
- Update Mozilla Firefox to version 101 or later
- Update Mozilla Firefox ESR to version 91.10 or later
- Update Mozilla Thunderbird to version 91.10 or later
- Review recent downloads on affected Windows systems for files in unexpected locations
Patch Information
Mozilla has addressed this vulnerability in Firefox 101, Firefox ESR 91.10, and Thunderbird 91.10. The fix ensures proper escaping of the % character in filenames during the download process, preventing environment variable expansion. Organizations should prioritize updating all affected Mozilla products on Windows systems.
For detailed information on the security updates, refer to the Mozilla Security Advisory MFSA-2022-20, Mozilla Security Advisory MFSA-2022-21, and Mozilla Security Advisory MFSA-2022-22. Additional technical details are available in Mozilla Bug Report #1765049.
Workarounds
- Configure browser settings to always prompt for download location rather than using automatic download directories
- Implement application whitelisting or execution controls on sensitive directories like startup folders
- Use enterprise browser management policies to enforce prompt-based downloading behavior
- Consider restricting user write permissions to common persistence locations where operationally feasible
# Check current Firefox version on Windows via command line
"C:\Program Files\Mozilla Firefox\firefox.exe" --version | findstr /i "Mozilla Firefox"
# Verify Thunderbird version
"C:\Program Files\Mozilla Thunderbird\thunderbird.exe" --version
# Monitor for files in startup directory created by browser processes
dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" /TC
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
