CVE-2009-0071

Firefox <= 3.0.7 - Denial of Service via designMode Query Command Calls

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-0071. PoCs published by Skylined.

AI-analyzed exploit summary This exploit leverages a designMode-related vulnerability in older browsers to trigger a crash via JavaScript manipulation of document properties and commands. The PoC demonstrates a DoS condition by forcing a crash when the window is closed.

Description

Mozilla Firefox 3.0.5 and earlier 3.0.x versions, when designMode is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a certain (a) replaceChild or (b) removeChild call, followed by a (1) queryCommandValue, (2) queryCommandState, or (3) queryCommandIndeterm call. NOTE: it was later reported that 3.0.6 and 3.0.7 are also affected.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Skylined · htmldosmultiple
https://www.exploit-db.com/exploits/8219

This exploit leverages a designMode-related vulnerability in older browsers to trigger a crash via JavaScript manipulation of document properties and commands. The PoC demonstrates a DoS condition by forcing a crash when the window is closed.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Unspecified browser (likely older versions of Internet Explorer or Firefox)
No auth needed
Prerequisites: Victim must visit a malicious webpage or open the HTML file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Skylined · htmldosmultiple
https://www.exploit-db.com/exploits/8091

This exploit leverages a use-after-free vulnerability in Internet Explorer's handling of the `document.queryCommandState` method, triggered via `designMode` manipulation. It demonstrates a proof-of-concept for arbitrary code execution by corrupting memory through object removal and command state querying.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 7
No auth needed
Prerequisites: Victim must visit a malicious webpage using Internet Explorer 7
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8219
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-01/0220.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=456727
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=448329
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8091
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/33154
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=472507
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-01/0223.html
Third Party Advisory mailing-list x_refsource_fulldisc
http://archives.neohapsis.com/archives/fulldisclosure/2009-01/0224.html

Scores

EPSS 0.0659
EPSS Percentile 93.0%

Details

CWE
CWE-399
Status published
Products (6)
mozilla/firefox 3.0 (4 CPE variants)
mozilla/firefox 3.0.1
mozilla/firefox 3.0.2
mozilla/firefox 3.0.3
mozilla/firefox 3.0.4
mozilla/firefox 3.0.5
Published Jan 08, 2009
Tracked Since Feb 18, 2026