Cyber Resilience

CVE-2022-2200

High

Published: 22 December 2022

Published
22 December 2022
Modified
15 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0620 91.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2200 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-2200 is a prototype-pollution issue in the JavaScript engine that allows an attacker who can corrupt an object prototype to set arbitrary attributes on JavaScript objects, ultimately resulting in privileged code execution. The flaw affects Firefox before version 102, Firefox ESR before 91.11, Thunderbird before 102, and Thunderbird before 91.11.

An unauthenticated remote attacker can trigger the vulnerability by causing a victim to visit a malicious web page or open a specially crafted message; successful exploitation yields high-impact effects on confidentiality, integrity, and availability without requiring prior privileges on the target system.

Mozilla security advisories MFSA2022-24, MFSA2022-25, and MFSA2022-26 recommend immediate upgrade to the fixed releases. The associated EPSS score has remained flat at 0.0620 since disclosure, indicating no material increase in observed exploitation interest.

EU & UK References

Vulnerability details

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102,…

more

and Thunderbird < 91.11.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 102.0
mozilla
firefox esr
≤ 91.11
mozilla
thunderbird
≤ 91.11

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References