CVE-2021-29991

Summary

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 91.0.1affected
MozillaThunderbirdunspecified < 91.0.1affected

Weaknesses

  • Header Splitting possible with HTTP/3 Responses

ADP Enrichment

CVE Program Container

Additional References

References