CVE-2009-2477

EXPLOITED

Firefox 3.5 - Remote Code Execution via TraceMonkey JIT Escape Function

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-2477 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including Hacker Fantastic, Metasploit, netsoul, including a Metasploit module exploits/multi/browser/firefox_escape_retval.

AI-analyzed exploit summary This exploit targets CVE-2009-2477, a heap-based buffer overflow in Adobe Reader and Acrobat. It uses JavaScript heap spraying and ROP gadgets to achieve remote code execution, delivering a reverse shell payload.

Description

js/src/jstracer.cpp in the Just-in-time (JIT) JavaScript compiler (aka TraceMonkey) in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by a document containing P and FONT elements.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Hacker Fantastic · htmllocallinux
https://www.exploit-db.com/exploits/40936

This exploit targets CVE-2009-2477, a heap-based buffer overflow in Adobe Reader and Acrobat. It uses JavaScript heap spraying and ROP gadgets to achieve remote code execution, delivering a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Adobe Reader and Acrobat (versions prior to 9.3.3, 8.2.3, and 7.1.4)
No auth needed
Prerequisites: Victim must open the malicious HTML file in a vulnerable version of Adobe Reader/Acrobat
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/16299

This Metasploit module exploits a memory corruption vulnerability in Firefox 3.5's JavaScript interpreter, where the escape() function fails to preserve its return value, leading to uninitialized memory usage. The exploit uses heap spraying to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mozilla Firefox 3.5.0
No auth needed
Prerequisites: Victim must visit a malicious webpage · Firefox 3.5.0 must be in use
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by netsoul · perlremotewindows
https://www.exploit-db.com/exploits/9214

This exploit leverages a heap spray technique to execute arbitrary shellcode in Firefox 3.5 via a crafted HTML page. The shellcode is encoded with Shikata Ga Nai and binds a shell to port 5500.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Firefox 3.5
No auth needed
Prerequisites: Victim must visit a malicious webpage · Firefox 3.5 must be vulnerable to the heap spray technique
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by David Kennedy (ReL1K) · pythonremotewindows
https://www.exploit-db.com/exploits/9181

This exploit leverages a heap spray technique to achieve remote code execution in Firefox 3.5 by triggering a vulnerability in the browser's handling of JavaScript. It delivers a shellcode payload (encoded with Shikata Ga Nai) that binds a shell to port 5500.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Firefox 3.5
No auth needed
Prerequisites: Victim must visit the malicious HTTP server · Firefox 3.5 must be vulnerable to the heap spray technique
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Sberry · htmlremotewindows
https://www.exploit-db.com/exploits/9137

This exploit leverages a heap spray technique to trigger a vulnerability in Firefox 3.5, executing arbitrary shellcode (calc.exe) via JavaScript. The PoC demonstrates memory corruption by spraying the heap with NOP sleds and shellcode, then manipulating DOM elements to achieve code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Racy
Target: Mozilla Firefox 3.5
No auth needed
Prerequisites: Victim must visit a malicious webpage using Firefox 3.5
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC NORMAL
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/firefox_escape_retval.rb

This Metasploit module exploits a memory corruption vulnerability in Firefox 3.5 (CVE-2009-2477) by leveraging a bug in the JavaScript interpreter's handling of the escape() function's return value. It uses heap spraying to achieve remote code execution via a malicious HTML page.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mozilla Firefox 3.5.0
No auth needed
Prerequisites: Victim must visit a malicious webpage · Firefox 3.5.0 must be in use
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (15)

Core 15
Core References
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266148-1
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=503286
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/443060
Vendor Advisory vendor-advisory x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00909.html
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35660
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1868
Patch, Vendor Advisory x_refsource_confirm
http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40936/
Various Sources x_refsource_misc
http://isc.sans.org/diary.html?storyid=6796
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9181
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35798
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/9137

Scores

EPSS 0.8331
EPSS Percentile 99.3%

Details

VulnCheck KEV 2010-05-01
CWE
CWE-94
Status published
Products (1)
mozilla/firefox 3.5
Published Jul 15, 2009
Tracked Since Feb 18, 2026