CVE-2024-1554 Overview
CVE-2024-1554 is a cache poisoning vulnerability in Mozilla Firefox versions prior to 123. The fetch() API and browser navigation incorrectly shared the same HTTP cache, while the cache key omitted optional headers supplied to fetch(). An attacker who can trigger a fetch() call with attacker-controlled headers can prime the local browser cache with a manipulated response. When the user subsequently navigates to the same URL, the browser serves the poisoned cached entry rather than the legitimate server response. The flaw is tracked under [CWE-345: Insufficient Verification of Data Authenticity].
Critical Impact
Attackers can poison the local Firefox cache so users receive attacker-controlled content on legitimate URLs, enabling content spoofing and downstream client-side attacks.
Affected Products
- Mozilla Firefox versions prior to 123
- Products bundling vulnerable Firefox builds released before February 20, 2024
- Downstream browsers reusing the affected Gecko networking stack
Discovery Timeline
- 2024-02-20 - CVE-2024-1554 published to the National Vulnerability Database
- 2024-02-20 - Mozilla publishes Mozilla Security Advisory MFSA-2024-05 with the fix in Firefox 123
- 2025-04-02 - Last updated in NVD database
Technical Details for CVE-2024-1554
Vulnerability Analysis
Firefox maintains a shared HTTP cache used by both top-level navigation requests and Fetch API requests issued from JavaScript. The cache key derivation logic uses request URL and a subset of request attributes to identify cache entries. The Fetch API permits callers to supply custom request headers that can influence the server response, including Accept, Accept-Language, and other content-negotiation headers. Because the cache key did not incorporate these optional headers, a fetch() response stored against a URL was treated as interchangeable with a response retrieved by direct navigation to that URL. An attacker-controlled page can issue a crafted fetch() to a third-party origin, store the resulting response in the cache, and influence what the victim sees when navigating to the same URL.
Root Cause
The root cause is a cache key derivation defect. The cache lookup did not include request-modifying headers that affect server response selection. Two requests producing different server responses collided on the same key, so the cache could not distinguish a navigation request from a header-influenced fetch() request to the same URL.
Attack Vector
Exploitation requires the victim to visit an attacker-controlled page that issues a fetch() to the target origin with chosen headers. The server response is cached under the URL key. When the victim subsequently navigates to that URL, Firefox serves the cached response instead of issuing a fresh navigation request. The attacker does not need to control the target server; they only need to elicit a response variant favorable to their attack by manipulating request headers.
No verified public exploit code is available for CVE-2024-1554. See Mozilla Bug Report #1816390 for technical details.
Detection Methods for CVE-2024-1554
Indicators of Compromise
- Firefox installations reporting a user-agent version less than 123 in web server logs
- Unexpected variation between a server's logged response and the content rendered to a Firefox client for the same URL
- Repeated fetch() requests from third-party origins immediately preceding navigations to the same target URL in browser telemetry
Detection Strategies
- Inventory endpoints to identify Firefox installations below version 123 using endpoint management or browser telemetry.
- Review proxy and web gateway logs for cross-origin fetch() patterns where third-party pages request sensitive internal URLs with non-default headers.
- Correlate client-reported content hashes against server-side response hashes to surface cache-poisoning discrepancies.
Monitoring Recommendations
- Monitor browser version distribution in enterprise asset inventories and alert on outdated Firefox builds.
- Track Content Security Policy and CORS violation reports that may indicate attacker pages probing cacheable endpoints.
- Enable extended HTTP logging on sensitive applications to compare served versus rendered content for forensic review.
How to Mitigate CVE-2024-1554
Immediate Actions Required
- Upgrade all Firefox installations to version 123 or later across managed endpoints.
- Push the update through enterprise software distribution channels and verify completion via inventory reporting.
- Restart browser sessions after upgrade to clear any previously poisoned cache entries.
Patch Information
Mozilla fixed CVE-2024-1554 in Firefox 123 by correcting the cache key derivation so that optional fetch() request headers are included in cache lookups. Full remediation details are documented in Mozilla Security Advisory MFSA-2024-05 and the underlying Mozilla Bug Report #1816390.
Workarounds
- Clear the Firefox HTTP cache on affected endpoints until upgrades complete.
- Restrict access to untrusted websites via web filtering on systems that cannot be immediately patched.
- Configure enterprise policy to enforce automatic Firefox updates through the policies.json file or the Firefox ADMX templates.
# Configuration example: enforce Firefox auto-update via policies.json
# Place this file at the Firefox distribution directory
{
"policies": {
"DisableAppUpdate": false,
"AppAutoUpdate": true,
"OverrideFirstRunPage": "",
"DisableTelemetry": false
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
