CVE-2025-3932

It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
mozillaCNA
---
---
CISA-ADPADP
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
VendorProductVersion
mozillathunderbird
𝑥
< 128.10.1
mozillathunderbird
129.0 ≤
𝑥
< 138.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
thunderbird
bullseye
vulnerable
bullseye (security)
1:128.12.0esr-1~deb11u1
fixed
bookworm
vulnerable
bookworm (security)
1:128.12.0esr-1~deb12u1
fixed
sid
1:128.12.0esr-1
fixed
trixie
1:128.12.0esr-1
fixed
Common Weakness Enumeration
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
https://www.mozilla.org/security/advisories/mfsa2025-34/
https://www.mozilla.org/security/advisories/mfsa2025-35/