VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-2227

CVE-2004-2227

Description

Firefox before 1.0 truncates long filenames in download dialog, enabling spoofing of file extensions to trick users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Firefox before 1.0 truncates long filenames in download dialog, enabling spoofing of file extensions to trick users.

Vulnerability

Firefox versions before 1.0 truncate long filenames in the "What should Firefox do with this file?" dialog box. This allows a remote attacker to craft a filename that appears to have a benign extension while the actual extension is hidden due to truncation. Affected versions: Firefox prior to 1.0 [1][3].

Exploitation

The attacker needs only to host a malicious file on a web page and lure the user into clicking a download link. The dialog box shows a truncated filename, so the user may be misled about the file type. No authentication is required; the attack is remote [2].

Impact

Successful exploitation could trick a user into opening a file with a dangerous extension (e.g., .exe) that appears as a safe file (e.g., .txt), potentially leading to arbitrary code execution or other malicious actions [2].

Mitigation

Fixed in Firefox 1.0. Users should upgrade to version 1.0 or later. No workaround is available [1][2][3].

References
  1. About Secunia Research | Flexera
  2. Various vulnerabilities (GLSA 200501-03) — Gentoo security
  3. 234416 - can spoof filename in "what should firefox do with this file" dialog

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

9
  • Mozilla Corporation/Firefox9 versions
    cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:mozilla:firefox:0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.10.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:0.9:rc:*:*:*:*:*:*
    • (no CPE)range: <1.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.