CVE-2009-5017
Description
Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong UTF-8 encoding, which makes it easier for remote attackers to bypass cross-site scripting (XSS) protection mechanisms via a crafted string, a different vulnerability than CVE-2010-1210.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Firefox before 3.6 Beta 3 fails to reject overlong UTF-8 sequences, bypassing XSS filters.
Vulnerability
Mozilla Firefox before version 3.6 Beta 3 does not properly reject overlong UTF-8 encoding sequences, as required by Unicode Technical Report #36. Specifically, the function Utf8ToOneUcs4Char in jsstr.cpp (bug 511859) and decodeURIComponent / decodeURI functions (bug 522634) incorrectly accept non-shortest-form representations of characters. For example, the character U+1000 can be encoded both in its shortest form (0xE1 0x80 0x80) and in a 4-byte overlong form (0xF0 0x81 0x80 0x80). The overlong form should be rejected and replaced with U+FFFD, but Firefox before 3.6 Beta 3 allows it, enabling filter bypasses [2][3].
Exploitation
A remote attacker can craft a string containing overlong UTF-8 sequences and deliver it to a victim via a web page. No special network position or authentication is required; exploitation relies on the browser rendering or processing the malicious input. The attacker's string is compared against or processed by the browser's UTF-8 conversion routines, which accept the overlong form. This bypasses XSS protection mechanisms that expect shortest-form UTF-8 only [1][2].
Impact
Successful exploitation allows an attacker to bypass cross-site scripting (XSS) filters in the browser. The attacker can inject arbitrary script code that the browser’s XSS filter would normally block, leading to information disclosure, session hijacking, and other client-side attacks. The impact is limited to the browser’s JavaScript context and the user’s interactions with the vulnerable site [1][2].
Mitigation
Firefox fixed this issue in version 3.6 Beta 3. The patches addressed both the JavaScript engine (js/src/jsstr.cpp — bug 511859) and the decodeURI / decodeURIComponent functions (bug 522634). Users should upgrade to Firefox 3.6 Beta 3 or later. There are no known workarounds for older versions, and no EOL status is indicated [2][3].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:a:mozilla:firefox:3.6:beta1:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:3.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:*:beta2:*:*:*:*:*:*range: <=3.6
- (no CPE)range: <3.6 Beta 3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing zeros in the `minucs4Table[]` constants in the JavaScript engine's UTF-8 decoder caused overlong four-byte UTF-8 sequences to be accepted as valid instead of rejected."
Attack vector
An attacker can craft a string containing an overlong UTF-8 sequence — such as `%F0%81%80%80` — that Firefox's decoder incorrectly treats as a valid character (U+1000) instead of rejecting it as illegal [ref_id=1][ref_id=3]. Because the overlong encoding is not the shortest form, it can bypass input filters (e.g., XSS filters) that scan for dangerous characters like `<`, `>`, `'`, or `"` but do not account for all possible overlong byte sequences [ref_id=1]. When the decoded string is later used in a web page context, the attacker can inject script content that the filter missed, leading to cross-site scripting [CWE-79]. The attack requires no authentication and is delivered over HTTP via a crafted URL or POST parameter.
Affected code
The vulnerability resides in the JavaScript engine's UTF-8 decoder function `Utf8ToOneUcs4Char` in `js/src/jsstr.cpp` [ref_id=2]. The static `minucs4Table[]` used to detect overlong (non-shortest-form) UTF-8 sequences had missing zeros in its entries — for example, `0x0001000` instead of `0x00010000` — causing the four-byte overlong sequence `0xF0 0x81 0x80 0x80` (which encodes U+1000) to be accepted as valid [ref_id=2]. The same flaw also affected `decodeURIComponent`/`decodeURI` in the XPCOM component [ref_id=3].
What the fix does
The fix corrected the `minucs4Table[]` constants in `js/src/jsstr.cpp` by adding the missing zeros: `0x0001000` became `0x00010000`, `0x0020000` became `0x00200000`, and `0x0400000` became `0x04000000` [ref_id=2]. This ensures that the decoder correctly identifies four-byte overlong sequences (e.g., `0xF0 0x81 0x80 0x80` for U+1000) as illegal and rejects them by returning `OVERLONG_UTF8` (0xFFFFFFFF) instead of a valid code point [ref_id=2]. The patch also removed the old behavior of converting overlong sequences to U+FFFD (replacement character), aligning Firefox with ECMAScript 5's requirement to forbid overlong UTF-8 sequences entirely [ref_id=2].
Preconditions
- inputThe target application must use Firefox's UTF-8 decoder (e.g., via decodeURI/decodeURIComponent or JavaScript string processing) and fail to sanitize overlong UTF-8 sequences before outputting user input into an HTML context.
- inputThe attacker must be able to supply a crafted string containing overlong UTF-8 byte sequences (e.g., via URL parameters or form fields).
- networkNo authentication is required; the attack is delivered over HTTP to any user running an affected Firefox version (before 3.6 Beta 3).
Reproduction
1. Open Firefox (version before 3.6 Beta 3). 2. In the address bar or a JavaScript console, execute: `alert(decodeURI("%F0%81%80%80")==decodeURI("%E1%80%80"))`. 3. Observe that the alert returns `true`, confirming that the overlong four-byte sequence `%F0%81%80%80` is decoded to the same character (U+1000) as the correct shortest form `%E1%80%80`. 4. Execute `alert(escape(decodeURI("%F0%81%80%80")))` and observe `%u1000` instead of the expected `%uFFFD` [ref_id=3].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.