CVE-2024-6601 Overview
CVE-2024-6601 is a race condition vulnerability in Mozilla Firefox and Thunderbird that allows a cross-origin container to obtain the permissions of the top-level origin. The flaw stems from a Time-of-Check Time-of-Use (TOCTOU) condition [CWE-367] in the permission validation logic. An attacker exploiting this issue could elevate the privileges of an embedded cross-origin context to match those granted to the parent page, breaking the same-origin permission boundary enforced by the browser.
The vulnerability affects Firefox versions before 128, Firefox ESR before 115.13, Thunderbird before 115.13, and Thunderbird before 128. Mozilla addressed the issue in coordinated security advisories MFSA-2024-29 through MFSA-2024-32.
Critical Impact
A successful exploit lets a cross-origin frame inherit sensitive permissions such as camera, microphone, geolocation, or notifications granted only to the top-level origin.
Affected Products
- Mozilla Firefox versions earlier than 128
- Mozilla Firefox ESR versions earlier than 115.13
- Mozilla Thunderbird versions earlier than 115.13 and earlier than 128
Discovery Timeline
- 2024-07-09 - CVE-2024-6601 published to NVD
- 2025-04-04 - Last updated in NVD database
Technical Details for CVE-2024-6601
Vulnerability Analysis
The vulnerability is a race condition classified under [CWE-367] (Time-of-Check Time-of-Use). The browser checks the origin associated with a permission request at one point in time, but the actual permission grant or use occurs later. Between those two events, the underlying context can be replaced or modified so that a cross-origin container ends up bound to permissions intended for the top-level origin.
This allows an embedded resource, such as an iframe loaded from a different origin, to operate with elevated permissions it should not have. The classic permission model assumes that cross-origin containers must request their own permissions independently. The race condition undermines that boundary.
The issue requires the attacker to have a privileged position relative to the user, reflected in the attack vector requirements. Once exploited, the attacker can access browser features tied to permissions previously granted by the user, including media devices and location data.
Root Cause
The root cause is non-atomic handling of the permission check and the subsequent permission assignment within the browser's permission manager. Concurrent execution paths in the renderer or permission delegation logic create a window where origin context can change between validation and enforcement.
Attack Vector
Exploitation requires a malicious or compromised web page that loads a cross-origin container and triggers the race condition during permission lookup. The attacker manipulates timing so that a permission decision intended for the top-level origin is applied to the cross-origin context. Technical details are documented in Mozilla Bug Report ID 1890748.
No public proof-of-concept code is available for this issue. See the Mozilla Security Advisory MFSA-2024-29 for vendor-supplied technical context.
Detection Methods for CVE-2024-6601
Indicators of Compromise
- Firefox or Thunderbird binaries reporting versions below 128 or ESR 115.13 in enterprise inventories.
- Browser telemetry showing cross-origin frames accessing permission-gated APIs such as getUserMedia, geolocation, or Notification without matching prompts.
- Unexpected outbound media or location data from origins that were not granted those permissions by the user.
Detection Strategies
- Audit installed browser versions across managed endpoints and flag any host running an unpatched Firefox or Thunderbird build.
- Review web proxy and DNS logs for pages embedding cross-origin iframes that subsequently trigger permission-sensitive API calls.
- Correlate browser process telemetry with permission prompt history to detect mismatches between granted origins and active consumers.
Monitoring Recommendations
- Track browser version distribution through endpoint management tooling and alert on regressions below the patched release.
- Monitor for anomalous use of media, location, and notification APIs originating from embedded frames.
- Forward browser update events and crash reports into a centralized log platform for review.
How to Mitigate CVE-2024-6601
Immediate Actions Required
- Upgrade Firefox to version 128 or later on all managed endpoints.
- Upgrade Firefox ESR to version 115.13 or later in environments standardized on the extended support release.
- Upgrade Thunderbird to version 115.13 or 128 or later, matching the supported channel in use.
- Verify deployment by checking about:support or enterprise inventory data after the update.
Patch Information
Mozilla released fixes in the security advisories MFSA-2024-29, MFSA-2024-30, MFSA-2024-31, and MFSA-2024-32. Apply the patched versions through standard update channels or enterprise distribution mechanisms.
Workarounds
- No vendor-supplied workaround exists; patching is the supported remediation.
- Restrict use of permission-gated browser features through enterprise policy where business requirements allow.
- Use browser policies to block or limit cross-origin iframe embedding on high-risk internal applications until updates are deployed.
# Configuration example: enforce minimum Firefox version via enterprise policy
# /etc/firefox/policies/policies.json
{
"policies": {
"DisableAppUpdate": false,
"AppAutoUpdate": true,
"OverrideFirstRunPage": "",
"Permissions": {
"Camera": { "BlockNewRequests": true },
"Microphone": { "BlockNewRequests": true },
"Location": { "BlockNewRequests": true }
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

