SB2025041536 - Multiple vulnerabilities in Mozilla Thunderbird and Thunderbird ESR

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2025-3522)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a missing URL validation when processing the X-Mozilla-External-Attachment-URL header to handle externally hosted attachments. A remote attacker can send a specially crafted email to the victim that contains a link with an internally referenced document, such as "chrome://" or "chrome://" and force Thunderbird to share hashed Windows credentials with that URL, leading to information disclosure.

2) Information disclosure (CVE-ID: CVE-2025-2830)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error when handling attachment in a multipart message. A remote attacker can trick the victim into forwarding a specially crafted email and force Thunderbird to include in the message a directory listing of /tmp.

3) Spoofing attack (CVE-ID: CVE-2025-3523)

The vulnerability allows a remote attacker to perform spoofing attack.

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.

Remediation

Install update from vendor's website.

References

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-26/
• https://bugzilla.mozilla.org/show_bug.cgi?id=1955372
• https://bugzilla.mozilla.org/show_bug.cgi?id=1956379
• https://bugzilla.mozilla.org/show_bug.cgi?id=1958385