CVE-2004-1490
Description
Opera 7.54 and earlier spoofs file types in download dialogs using dots and non-breaking spaces in Content-Disposition or Content-Type headers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Opera 7.54 and earlier spoofs file types in download dialogs using dots and non-breaking spaces in Content-Disposition or Content-Type headers.
Vulnerability
Opera versions 7.54 and earlier fail to properly validate the filename presented in the download dialog when the Content-Disposition or Content-Type HTTP headers contain dots combined with non-breaking spaces (ASCII 0xA0). This allows a remote attacker to disguise a dangerous file type (e.g., an executable) as a seemingly harmless one (e.g., a text file) by injecting a long sequence of dots and non-breaking spaces before the real extension. The vulnerability lies in the browser's parsing of these headers and is reachable simply by visiting a malicious web page or clicking a crafted download link [1][2][3].
Exploitation
An attacker hosting a malicious web page or controlling a man-in-the-middle position can craft a server response that includes a specially formed Content-Disposition or Content-Type header. The header contains the desired filename with dots and non-breaking spaces inserted so that Opera's download dialog truncates or omits the true file extension, showing only a fake extension (e.g., .txt) instead of the actual .exe. The user is enticed to download and open the file, believing it to be safe. No additional authentication or user interaction is required beyond clicking the download link [1][2].
Impact
Successful exploitation leads to a user downloading and potentially executing a file of a type different from what the download dialog indicated. This can result in arbitrary code execution with the user's privileges, depending on the actual file type and how it is handled by the operating system. The core impact is a security-relevant spoofing of file type information, undermining the user's ability to make an informed trust decision about downloaded content [1][3].
Mitigation
Opera Software released an update to address this issue. Users should upgrade to Opera 7.54u1 or later for Windows and Linux, or to version 7.54-r3 for Gentoo Linux. No workaround is known. The vulnerability is also tracked in Gentoo GLSA 200502-17. It is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2][3].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- secunia.com/advisories/12981nvdBroken LinkPatch
- secunia.com/secunia_research/2004-19/advisory/nvdBroken LinkPatch
- www.gentoo.org/security/en/glsa/glsa-200502-17.xmlnvdPatchThird Party Advisory
- www.securityfocus.com/bid/11883nvdBroken LinkPatchThird Party AdvisoryVDB Entry
- exchange.xforce.ibmcloud.com/vulnerabilities/18423nvdThird Party AdvisoryVDB Entry
- www.opera.com/linux/changelogs/754u1/nvdBroken Link
News mentions
0No linked articles in our index yet.