CVE-2022-1802

HIGH EXPLOITED IN THE WILD

Firefox < 100.0.2, Firefox ESR < 91.9.1, Thunderbird < 91.9.1 - Privileged JavaScript Execution via Prototype Pollution

Title source: llm

Exploitation Summary

CVE-2022-1802 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit from researchers including mistymntncop.

AI-analyzed exploit summary This is a working exploit PoC for CVE-2022-1802, targeting a type confusion vulnerability in Firefox 100.0.1. It leverages memory corruption to achieve arbitrary read/write primitives, enabling potential RCE.

Description

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR < 91.9.1, Firefox < 100.0.2, Firefox for Android < 100.3.0, and Thunderbird < 91.9.1.

Exploits (1)

nomisec WORKING POC 152 stars

by mistymntncop · client-side

https://github.com/mistymntncop/CVE-2022-1802

View Code ZIP pw:eip

This is a working exploit PoC for CVE-2022-1802, targeting a type confusion vulnerability in Firefox 100.0.1. It leverages memory corruption to achieve arbitrary read/write primitives, enabling potential RCE.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Mozilla Firefox 100.0.1 (Windows)

No auth needed

Prerequisites: Target running Firefox 100.0.1 on Windows · Ability to execute JavaScript in the target browser

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Issue Tracking, Permissions Required, Vendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1770137

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2022-19/

Scores

CVSS v3 8.8

EPSS 0.2671

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2022-08-15

InTheWild.io 2022-08-15

CWE

CWE-1321

Status published

Products (3)

mozilla/firefox < 100.0.2

mozilla/firefox_esr < 91.9.1

mozilla/thunderbird < 91.9.1

Published Dec 22, 2022

Tracked Since Feb 18, 2026