CVE-2024-10941: 
NixOS vulnerability analysis and mitigation

CVE-2024-10941 is a security vulnerability discovered in Mozilla Firefox versions prior to 126. The vulnerability was identified when a malicious website could include an iframe with a malformed URI, specifically using 'file:.' or 'file:..' patterns, resulting in a non-exploitable browser crash (Mozilla Advisory, NVD). The issue was discovered by Anthony De Los Santos and was publicly disclosed on November 6, 2024.

The vulnerability stems from an incorrect parsing of file URLs in Firefox's URL handling mechanism. When parsing 'file:.' or 'file:..', the browser produced 'file:///.' instead of the correct 'file:///' output. This parsing inconsistency between the parent and child processes led to a deserialization error with the principal URI, specifically failing in PrincipalInfoToPrincipal where 'info.originNoSuffix()' did not match 'originNoSuffix'. The CVSS v3.1 base score is 6.5 (Medium) according to NVD's assessment, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

The vulnerability's impact was limited to causing a browser crash when a malicious website included an iframe with a malformed URI. While this could result in a denial of service condition, it was classified as non-exploitable and received a low severity rating (Mozilla Advisory).

The vulnerability was fixed in Firefox version 126. Users are advised to update their Firefox installations to version 126 or later to receive the security fix. The fix involved correcting the URL parsing mechanism to properly handle file URLs with dot patterns (Mozilla Advisory).