CVE-2021-29991

Publication date

2021-11-03 00:04:17

Family

mozilla

State

PUBLISHED

Description

Firefox incorrectly accepted a newline in a HTTP/3 header, interpretting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3. This vulnerability affects Firefox < 91.0.1 and Thunderbird < 91.0.1.