CVE-2015-4495

HIGH KEV

Firefox < 39.0.3 - Same Origin Policy Bypass via PDF Reader Native Setter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-4495 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 25, 2022. EIP tracks 3 public exploits from researchers including Tantaryu MING, vincd, Unknown, fukusa, Unknown, including a Metasploit module auxiliary/gather/firefox_pdfjs_file_theft.

AI-analyzed exploit summary This exploit leverages a same-origin policy bypass in Firefox's pdf.js to read local files and directory listings. It uses JavaScript to manipulate iframe and object elements to escape the sandbox and access restricted resources.

Description

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

Exploits (3)

exploitdb WORKING POC
by Tantaryu MING · javascriptlocalmultiple
https://www.exploit-db.com/exploits/37772

This exploit leverages a same-origin policy bypass in Firefox's pdf.js to read local files and directory listings. It uses JavaScript to manipulate iframe and object elements to escape the sandbox and access restricted resources.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Mozilla Firefox < 39.0.3
No auth needed
Prerequisites: Victim must visit a malicious webpage · Firefox version < 39.0.3
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by vincd · remote
https://github.com/vincd/CVE-2015-4495

This PoC exploits CVE-2015-4495, a vulnerability in Firefox < 39.0.3 that allows directory listing enumeration via a sandbox escape and JavaScript injection. The exploit uses iframe manipulation and prototype chain traversal to bypass security restrictions and read local filesystem directories.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Mozilla Firefox < 39.0.3
No auth needed
Prerequisites: Victim must open the exploit in an unpatched Firefox browser (< 39.0.3) · JavaScript must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Unknown, fukusa, Unknown · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb

This Metasploit module exploits an XSS vulnerability in Firefox's PDF.js component (CVE-2015-4495) to exfiltrate arbitrary local files by leveraging privileged frame access. It serves a malicious HTML page that steals specified files via POST requests to the attacker's server.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Firefox < 39.0.3, Firefox ESR < 38.1.1, Firefox OS < 2.2
No auth needed
Prerequisites: Victim must visit attacker-controlled webpage · PDF.js must be enabled in Firefox
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00009.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00010.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/76249
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37772/
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1581.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201512-10
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2707-1
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1178058
Issue Tracking, Vendor Advisory x_refsource_confirm
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1033216
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html

Scores

CVSS v3 8.8
EPSS 0.7157
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-05-25
VulnCheck KEV 2015-08-05
InTheWild.io 2015-08-05
ENISA EUVD EUVD-2015-4515
CWE
CWE-346
Status published
Products (40)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.04
mozilla/firefox < 39.0.3 (2 CPE variants)
mozilla/firefox 38.0 - 38.1.1
mozilla/firefox_os < 2.2
opensuse/opensuse 13.1
opensuse/opensuse 13.2
oracle/solaris 11.3
redhat/enterprise_linux_desktop 5.0
... and 30 more
Published Aug 08, 2015
KEV Added May 25, 2022
Tracked Since Feb 18, 2026