CVE-2022-45415 - Dangerous HTML Titles Let Hackers Execute Malware via Firefox Downloads

In November 2022, a worrying security flaw was discovered in Mozilla Firefox, tracked as CVE-2022-45415. This bug exposed users to the risk that a simple web download could compromise their system. Let’s break down what really happened, who it affected, and how attackers could have used it in the real world.

What Was the CVE-2022-45415 Vulnerability?

When you download an HTML file, Firefox names the file based on the document’s <title>. Clever, right? The intention was to help users manage downloads with understandable filenames. But until version 107, Firefox didn’t properly validate what was in the <title>. Hackers could abuse this by setting a malicious "filename extension" in the title field—like .bat, .cmd, or even .exe on Windows.

Result: A plain ole’ HTML download could be saved and misinterpreted as an executable file. If the user later ran that file, bad things could happen.

Offer a Download: The victim is tricked into downloading the seemingly innocent HTML page.

3. Trick the User Into Running the File: Since the file saves as invoice.txt.bat, a double-click executes whatever script or command the attacker embedded.

Key problem: Windows hides known file extensions, so invoice.txt.bat might just appear as invoice.txt. If the file is actually a batch program, it runs malicious code.

You get a phishing email: "View your invoice, click here!"

- Download opens in Firefox. The HTML is saved using a title-turned-filename—maybe invoice.docx.exe.

Here's a stripped down example of a malicious HTML page that abuses this bug

<!DOCTYPE html>
<html>
  <head>
    <title>example.txt.bat</title>
  </head>
  <body>
    <script>
      // batch commands could also be included as text, not JS!
    </script>
    This file *appears* to be plain text, but it's really a batch file when saved.
  </body>
</html>

If a user downloads this in Firefox < 107, the browser proposes to save the file as example.txt.bat. If file extensions are hidden, it might display as example.txt, but running it executes the batch script.

Mitigation & Fix

Mozilla patched this bug swiftly in version 107. Now, Firefox sanitizes the title before using it as a filename and blocks dangerous extensions.

Show file extensions in Windows File Explorer.

- Be wary of files from unknown sources—especially those that could be "double extensions" like something.txt.exe.

References

- Mozilla Security Advisory: CVE-2022-45415
- NVD - CVE-2022-45415
- Firefox Release Notes v107

Conclusion

CVE-2022-45415 is a classic example of how small oversights in software can snowball into major vulnerabilities—especially where user trust in basic file types is involved. Always keep browsers updated, stay vigilant with downloads, and remember: if something looks like file.txt but acts like an app, don’t run it!

Timeline

Published on: 12/22/2022 20:15:00 UTC
Last modified on: 12/30/2022 22:13:00 UTC