CVE-2024-9399 Overview
CVE-2024-9399 is a denial of service vulnerability affecting Mozilla Firefox and Thunderbird. A malicious website can initiate a specially crafted WebTransport session that crashes the Firefox process, terminating the browser and any active sessions. The issue is classified under [CWE-404] Improper Resource Shutdown or Release.
The vulnerability affects Firefox versions earlier than 131, Firefox ESR earlier than 128.3, and Thunderbird versions earlier than 128.3 and 131. Exploitation requires no authentication, no user interaction beyond visiting a malicious page, and can be triggered remotely over the network.
Critical Impact
Remote attackers can crash the Firefox or Thunderbird process without authentication or user interaction by hosting a malicious WebTransport endpoint.
Affected Products
- Mozilla Firefox versions earlier than 131
- Mozilla Firefox ESR versions earlier than 128.3
- Mozilla Thunderbird versions earlier than 128.3 and 131
Discovery Timeline
- 2024-10-01 - CVE-2024-9399 published to NVD
- 2025-03-14 - Last updated in NVD database
Technical Details for CVE-2024-9399
Vulnerability Analysis
The vulnerability resides in Firefox's WebTransport implementation. WebTransport is a web API that provides bidirectional, low-latency communication between a client and server over HTTP/3. The flaw allows a remote server to construct a WebTransport session with malformed or unexpected parameters that the Firefox process cannot handle, causing a process crash.
The vulnerability is tracked in Mozilla Bug #1907726 and addressed in advisories MFSA-2024-46, MFSA-2024-47, MFSA-2024-49, and MFSA-2024-50. The EPSS score is 0.26% with a 49.5 percentile, indicating limited observed exploitation interest. No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is improper resource shutdown or release [CWE-404] within Firefox's WebTransport session handling logic. When the browser receives a specially crafted session initiation, resource management fails, resulting in process termination rather than graceful error handling.
Attack Vector
The attack vector is network-based. An attacker hosts a website configured to initiate a malicious WebTransport session. When a victim browses to that site using a vulnerable Firefox or Thunderbird version, the application establishes the WebTransport session and crashes. The attack requires no credentials and no privileged interaction beyond loading the attacker-controlled page.
The vulnerability mechanism is described in the Mozilla Bug Report #1907726. Synthetic exploit code is not available, and no verified proof-of-concept has been published.
Detection Methods for CVE-2024-9399
Indicators of Compromise
- Unexpected Firefox or Thunderbird process crashes shortly after navigation to an external website
- Crash reports referencing WebTransport, HTTP/3, or QUIC session handling components
- Outbound HTTP/3 (QUIC over UDP port 443) connections to unfamiliar domains preceding browser termination
Detection Strategies
- Inventory Firefox and Thunderbird versions across managed endpoints and compare against patched releases (Firefox 131, Firefox ESR 128.3, Thunderbird 128.3/131)
- Correlate browser process exit codes with preceding network connections to detect crash patterns tied to external sites
- Review Mozilla crash telemetry submissions for repeated WebTransport-related signatures
Monitoring Recommendations
- Monitor endpoint telemetry for abnormal Firefox or Thunderbird termination events using EDR process logs
- Track outbound QUIC traffic from browsers to identify unusual WebTransport destinations
- Alert on repeated browser restarts on a single host within short time windows, which may indicate targeted DoS
How to Mitigate CVE-2024-9399
Immediate Actions Required
- Upgrade Firefox to version 131 or later on all endpoints
- Upgrade Firefox ESR to version 128.3 or later for enterprise deployments
- Upgrade Thunderbird to version 128.3 or 131 or later across all user mailboxes
- Restart browser and mail client processes after applying updates to ensure patched binaries are loaded
Patch Information
Mozilla released fixes documented in MFSA-2024-46, MFSA-2024-47, MFSA-2024-49, and MFSA-2024-50. Apply the corresponding updates for each affected product line. Enterprise administrators should use Mozilla's enterprise deployment tooling or operating system package managers to roll out fixed versions.
Workarounds
- Disable WebTransport in Firefox by setting network.webtransport.enabled to false in about:config until the patch is applied
- Block outbound HTTP/3 (UDP 443) traffic at the perimeter for browsers that do not require WebTransport functionality
- Restrict browsing to trusted sites via web proxy policies if rapid patching is not feasible
# Configuration example: disable WebTransport via Firefox enterprise policy (policies.json)
{
"policies": {
"Preferences": {
"network.webtransport.enabled": {
"Value": false,
"Status": "locked"
}
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
