CVE-2022-29912 — Open Redirect in Mozilla Firefox

CWE-601 — Open Redirect CWE-565 — Reliance on Cookies without Validation and Integrity Checking13 documents9 sources

Severity

6.1MEDIUMNVD

OSV4.3

EPSS

0.5%

top 32.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedDec 22

Latest updateOct 15

Description

Requests initiated through reader mode did not properly omit cookies with a SameSite attribute. This vulnerability affects Thunderbird < 91.9, Firefox ESR < 91.9, and Firefox < 100.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages8 packages

▶CVEListV5mozilla/firefoxunspecified — 100

▶NVDmozilla/firefox< 100.0

▶CVEListV5mozilla/firefox_esrunspecified — 91.9

▶NVDmozilla/firefox_esr< 91.9

▶CVEListV5mozilla/thunderbirdunspecified — 91.9

🔴Vulnerability Details

CVEList

CVE-2022-29912: Requests initiated through reader mode did not properly omit cookies with a SameSite attribute↗2022-12-22

▶

GHSA

GHSA-qf7x-w4mc-mcp8: Requests initiated through reader mode did not properly omit cookies with a SameSite attribute↗2022-12-22

▶

OSV

CVE-2022-29912: Requests initiated through reader mode did not properly omit cookies with a SameSite attribute↗2022-12-22

▶

OSV

thunderbird vulnerabilities↗2022-05-25

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2022-05-25

▶

Ubuntu

Firefox vulnerabilities↗2022-05-11

▶

Red Hat

Mozilla: Reader mode bypassed SameSite cookies↗2022-05-03

▶

Debian

CVE-2022-29912: firefox - Requests initiated through reader mode did not properly omit cookies with a Same...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-18: CVE-2022-29912↗

▶

💬Community

HackerOne

SameSite restrictions are lifted, and SameSite:Strict cookie are being sent.↗2025-10-15

▶