CVE-2019-11707

HIGH KEV

Firefox < 60.7.1, < 67.0.3 and Thunderbird < 60.7.2 - Type Confusion via Array.pop

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-11707 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 23, 2022. EIP tracks 6 public exploits from researchers including Google Security Research, Forrest Orr, vigneshsrao.

AI-analyzed exploit summary This exploit leverages a type confusion vulnerability in Mozilla Firefox's IonMonkey JIT compiler, specifically in the handling of Array.pop operations, leading to arbitrary memory writes and potential remote code execution.

Description

A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Google Security Research · textdosmultiple
https://www.exploit-db.com/exploits/47038

This exploit leverages a type confusion vulnerability in Mozilla Firefox's IonMonkey JIT compiler, specifically in the handling of Array.pop operations, leading to arbitrary memory writes and potential remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox 66.0.3 and Spidermonkey beta
No auth needed
Prerequisites: Target must be running a vulnerable version of Firefox or Spidermonkey · JavaScript execution context required
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Forrest Orr · textlocalwindows
https://www.exploit-db.com/exploits/50691

This is a functional exploit for CVE-2019-11707, targeting a type confusion vulnerability in Mozilla Firefox's Array.pop method during JIT compilation. It achieves remote code execution by manipulating array prototypes to bypass type checks, leading to arbitrary read/write primitives and ultimately executing shellcode.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox 67.0.2 64-bit and earlier
No auth needed
Prerequisites: Target running vulnerable Firefox version · Ability to execute JavaScript in the target's browser
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 42 stars
by vigneshsrao · client-side
https://github.com/vigneshsrao/CVE-2019-11707

This repository contains a functional exploit for CVE-2019-11707, a type confusion vulnerability in Mozilla Firefox's SpiderMonkey JavaScript engine. The exploit leverages a prototype pollution technique to achieve arbitrary read-write primitives, leading to remote code execution (RCE).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox (SpiderMonkey JavaScript engine)
No auth needed
Prerequisites: Victim must visit a malicious webpage or execute the exploit script in a vulnerable Firefox browser
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 2 stars
by flabbergastedbd · client-side
https://github.com/flabbergastedbd/cve-2019-11707

This repository contains a functional exploit for CVE-2019-11707, a type confusion vulnerability in Mozilla's SpiderMonkey JavaScript engine. The exploit achieves arbitrary read/write primitives and executes a JIT spray to bypass mitigations, ultimately leading to remote code execution via a crafted `execve` syscall.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox (SpiderMonkey JavaScript engine) <= 66.0.3
No auth needed
Prerequisites: Victim must visit a malicious webpage or execute the exploit in a vulnerable SpiderMonkey environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by CosminGGeorgescu · client-side
https://github.com/CosminGGeorgescu/CVE-2019-11707-PoC

This repository contains a functional proof-of-concept exploit for CVE-2019-11707, a type confusion vulnerability in Mozilla Firefox's IonMonkey JIT compiler. The exploit leverages prototype pollution and JIT optimization to trigger a crash by dereferencing a controlled double value as a pointer.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mozilla Firefox < 67.0.3
No auth needed
Prerequisites: Vulnerable version of Firefox installed · JavaScript execution context
devstral-2 · analyzed Feb 19, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/tunnelshade/cve-2019-11707

This repository contains a functional exploit for CVE-2019-11707, a type confusion vulnerability in Mozilla's SpiderMonkey JavaScript engine. The exploit leverages arbitrary read/write primitives to achieve remote code execution via JIT spraying and syscall execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Mozilla Firefox (SpiderMonkey JavaScript engine)
No auth needed
Prerequisites: Vulnerable version of Firefox (e.g., 66.0.3)
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (5)

Core 5
Core References
Issue Tracking, Permissions Required, Vendor Advisory x_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1544386
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201908-12

Scores

CVSS v3 8.8
EPSS 0.8429
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-05-23
VulnCheck KEV 2019-06-18
InTheWild.io 2019-06-18
ENISA EUVD EUVD-2019-3377
CWE
CWE-843
Status published
Products (3)
mozilla/firefox < 60.7.1
mozilla/firefox < 67.0.3
mozilla/thunderbird < 60.7.2
Published Jul 23, 2019
KEV Added May 23, 2022
Tracked Since Feb 18, 2026