CVE-2025-3909

EUVD-2025-14935

14.05.2025, 17:15

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 62%

Affected Products (NVD)

Vendor	Product	Version
mozilla	thunderbird	𝑥 < 128.10.1
mozilla	thunderbird	129.0 ≤ 𝑥 < 138.0.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

thunderbird

bookworm	1:140.10.1esr-1~deb12u1 fixed
bookworm (security)	1:140.11.0esr-1~deb12u1 fixed
bullseye	vulnerable
bullseye (security)	1:140.11.0esr-1~deb11u1 fixed
forky	1:140.11.0esr-1 fixed
sid	1:140.11.0esr-1 fixed
trixie	1:140.10.1esr-1~deb13u1 fixed
trixie (security)	1:140.11.0esr-1~deb13u1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

MozillaThunderbird

suse enterprise desktop 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise desktop 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise sap 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise sap 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise server 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise server 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise workstation 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise workstation 15 SP7	128.10.1-150200.8.215.1 fixed

MozillaThunderbird-translations-common

suse enterprise desktop 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise desktop 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise sap 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise sap 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise server 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise server 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise workstation 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise workstation 15 SP7	128.10.1-150200.8.215.1 fixed

MozillaThunderbird-translations-other

suse enterprise desktop 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise desktop 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise sap 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise sap 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise server 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise server 15 SP7	128.10.1-150200.8.215.1 fixed
suse enterprise workstation 15 SP6	128.10.1-150200.8.215.1 fixed
suse enterprise workstation 15 SP7	128.10.1-150200.8.215.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

thunderbird

RHEL 9

0:128.10.1-1.el9_6

fixed

Common Weakness Enumeration

CWE-356 - Product UI does not Warn User of Unsafe Actions
The software's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1958376

https://www.mozilla.org/security/advisories/mfsa2025-34/

https://www.mozilla.org/security/advisories/mfsa2025-35/

https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html