Mozilla Firefox Animation Timeline Use-After-Free RCE
CVE-2024-9680 is a use-after-free vulnerability in Mozilla's Animation timelines component affecting Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR. Mozilla states that an attacker could achieve code execution in the content process by exploiting a dangling pointer condition in Animation timelines after the underlying object had been freed. The flaw was reported as exploited in the wild. Affected versions are Firefox prior to 131.0.2, Firefox ESR prior to 128.3.1 and 115.16.1, Thunderbird prior to 131.0.1, and Thunderbird ESR prior to 128.3.1 and 115.16.0.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a proof-of-concept and original exploit code for CVE-2024-9680, a critical use-after-free (UAF) vulnerability in Mozilla Firefox and Thunderbird's animation timeline management. The exploit achieves remote code execution in the browser's content process by leveraging complex SVG animation structures, heap spraying, and a UAF trigger via JavaScript. The repository includes: - README.md: Detailed analysis, legal/ethical disclaimers, and technical breakdown of the exploit stages. - exploit/cssbanner.js: Implements memory manipulation, shellcode decoding, and ROP chain construction, executed in a Web Worker context. - exploit/index.html: A safety-modified, educational version of the exploit with technical commentary and disabled secondary payload delivery. It demonstrates the exploitation process without causing harm. - exploit/original.html: The original, unmodified exploit as found in the wild, including a redirect to 'member.php' for secondary payload delivery (now disabled in the educational version). The exploit targets users browsing malicious HTML/JS content, particularly in the TOR Browser. The main attack vector is browser-based, exploiting SVG animation and JavaScript. The payload is encoded shellcode, executed via heap spraying and ROP techniques. The repository is structured for both research and educational purposes, with clear separation between the original and safe demonstration versions.
This repository provides a proof-of-concept (POC) for CVE-2024-9680, a use-after-free vulnerability in Mozilla Firefox and Thunderbird's animation timeline handling. The repository contains four files: a .gitignore, a detailed README.md explaining the vulnerability and exploitation concepts, an index.html file with JavaScript code that rapidly manipulates CSS animations to trigger the vulnerability in a browser, and a main.c file that demonstrates a generic use-after-free bug in C for educational purposes. The main exploit is in index.html, which should be opened in a vulnerable browser to attempt to trigger the flaw. No direct shell or advanced payload is included; the code is intended to demonstrate the vulnerability's trigger condition. The attack vector is browser-based, and there are no hardcoded network endpoints or IP addresses. The repository is structured as an educational and demonstrative POC rather than a weaponized exploit.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A zero-day use-after-free vulnerability in Firefox animation timelines that allows malicious code execution in the content process.
A Mozilla Firefox use-after-free vulnerability whose CISA KEV knownRansomwareCampaignUse field flipped from Unknown to Known (evidence of ransomware campaign use).
A Mozilla Firefox use-after-free vulnerability used as part of a chained, reportedly zero-click exploit to enable compromise and backdoor delivery.
A Firefox animation timeline vulnerability used as part of an exploit chain by RomCom (details not expanded in the provided content).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.