CVE-2022-40956: 
NixOS vulnerability analysis and mitigation

CVE-2022-40956 is a Content-Security-Policy (CSP) base-uri bypass vulnerability discovered in Mozilla Firefox. The vulnerability was identified on September 19, 2022, and affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105. When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead, potentially leading to security policy bypasses (Mozilla Advisory, NVD).

The vulnerability stems from a flaw in how Firefox handles HTML base elements during page loading. Specifically, the image preloader would accept the base tag without checking the CSP restrictions. The issue occurs when the CSP is delivered via both the Content-Security-Policy header and meta tag. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-exploitable vulnerability requiring user interaction (NVD).

The vulnerability allows attackers to bypass CSP base-uri restrictions, potentially leading to information leakage. This is particularly concerning for websites that use UUID-based user profiles with secret URLs, as it could enable attackers to leak paths that should be kept secret (Mozilla Bug).

The vulnerability was fixed in Firefox 105, Firefox ESR 102.3, and Thunderbird 102.3. Users should upgrade to these versions or later to mitigate the risk. The fix involves proper implementation of CSP checks during the image preloading process (Mozilla Advisory, Mozilla Advisory ESR).