SecuriTricks - CVE-2025-3522

Description

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.

Product(s) Impacted

Vendor	Product	Versions
Mozilla	Thunderbird	<137.0.2, <128.9.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	mozilla	thunderbird	<137.0.2	/	/	/	/	/	/	/
a	mozilla	thunderbird	<128.9.2	/	/	/	/	/	/	/

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1955372

https://www.mozilla.org/security/advisories/mfsa2025-26/

https://www.mozilla.org/security/advisories/mfsa2025-27/

CVSS Score

6.3 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

View Vector String

Timeline

Published: April 15, 2025, 3:16 p.m.
Last Modified: April 15, 2025, 7:16 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@mozilla.org

CVE-2025-3522