CVE-2025-3909

EUVD-2025-14935

14.05.2025, 17:15

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
mozilla	thunderbird	𝑥 < 128.10.1
mozilla	thunderbird	129.0 ≤ 𝑥 < 138.0.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

thunderbird

bookworm	1:140.6.0esr-1~deb12u1 fixed
bookworm (security)	1:140.9.1esr-1~deb12u1 fixed
bullseye	vulnerable
bullseye (security)	1:140.9.1esr-1~deb11u1 fixed
forky	1:140.9.0esr-1 fixed
sid	1:140.9.1esr-1 fixed
trixie	1:140.8.0esr-1~deb13u1 fixed
trixie (security)	1:140.9.1esr-1~deb13u1 fixed

Common Weakness Enumeration

CWE-356 - Product UI does not Warn User of Unsafe Actions
The software's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1958376

https://www.mozilla.org/security/advisories/mfsa2025-34/

https://www.mozilla.org/security/advisories/mfsa2025-35/

https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html