CVE-2025-3523User Interface (UI) Misrepresentation of Critical Information in Mozilla Thunderbird

CWE-451User Interface (UI) Misrepresentation of Critical Information7 documents6 sources
Severity
6.4MEDIUMNVD
EPSS
0.2%
top 52.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedApr 15
Latest updateJul 22

Description

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:LExploitability: 1.6 | Impact: 4.7

Affected Packages2 packages

NVDmozilla/thunderbird129.0137.0.2+1
Debianmozilla/thunderbird< 1:128.10.1esr-1~deb11u1+3

🔴Vulnerability Details

2
OSV
CVE-2025-3523: When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hov2025-04-15
GHSA
GHSA-4h7q-pj8m-5675: When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hov2025-04-15

📋Vendor Advisories

4
Ubuntu
Thunderbird vulnerabilities2025-07-22
Debian
CVE-2025-3523: thunderbird - When an email contains multiple attachments with external links via the X-Mozill...2025
Mozilla
Mozilla Foundation Security Advisory 2025-26: CVE-2025-3523
Mozilla
Mozilla Foundation Security Advisory 2025-27: CVE-2025-3523
CVE-2025-3523 — Mozilla Thunderbird vulnerability | cvebase