CVE-2022-31736: 
NixOS vulnerability analysis and mitigation

CVE-2022-31736 is a security vulnerability discovered in Mozilla Firefox, Firefox ESR, and Thunderbird that was disclosed on May 31, 2022. The vulnerability allowed a malicious website to learn the size of a cross-origin resource that supported Range requests. This affected Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10 (Mozilla Advisory, CVE Mitre).

The vulnerability exploits a flaw in how the browser handles Range requests in combination with Service Workers. When a cross-origin resource is used in an audio/video tag, a request containing the Range header asking for 'bytes=0-' is issued. By intercepting this request using a Service Worker and responding with an arbitrary Content-Range header, an attacker could trick Firefox into making additional range requests, which could then be used to determine the exact size of cross-origin resources (Mozilla Bug).

The vulnerability has been rated as high severity. It could allow malicious websites to determine the exact size of cross-origin resources that support Range requests, potentially leading to information leakage and cross-origin attacks. This could be particularly useful in XS-Search attacks, where an attacker can extract sensitive information based on the size of responses (Mozilla Advisory).

The vulnerability was fixed in Firefox 101, Firefox ESR 91.10, and Thunderbird 91.10. Users should update to these versions or newer to mitigate the vulnerability. The fix prevents mixing of non-opaque and opaque responses in media elements and addresses issues with range request handling (Mozilla Advisory).