Mozilla Firefox and Thunderbird Header Splitting Vulnerability in HTTP/3

A header splitting vulnerability has been identified in Mozilla Firefox and Thunderbird. The issue arises because the applications incorrectly processed newlines in HTTP/3 headers, splitting them into two separate headers. This flaw, present in Firefox and Thunderbird versions prior to 91.0.1, allows for header splitting attacks on servers using HTTP/3.

Impact

Exploitation of this vulnerability could lead to HTTP response splitting, a critical security issue that can cause various problems on affected websites, such as web application logic manipulation or cross-site scripting attacks.

Reproduction

To reproduce this vulnerability, first access a server that supports HTTP/3 and can return a header with a newline. Then, open Firefox or Thunderbird and navigate to the server. With the Network tab active, observe how the application parses the header. Instead of recognizing it as a single header, Firefox splits it into two, similar to the behavior in HTTP/1.1. This issue can be confirmed by checking the response headers for the presence of a single header that includes a newline, which should instead be represented as two separate headers.

Remediation

Users can update to Firefox or Thunderbird version 91.0.1 to address this vulnerability.