CVE-2025-3909Product UI does not Warn User of Unsafe Actions in Mozilla Thunderbird

CWE-356Product UI does not Warn User of Unsafe ActionsCWE-290Authentication Bypass by Spoofing9 documents8 sources
Severity
8.1HIGHNVD
EPSS
0.4%
top 37.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedMay 14
Latest updateJul 22

Description

Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDmozilla/thunderbird129.0138.0.1+1
Debianmozilla/thunderbird< 1:128.10.1esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-h6cg-6m9j-xj9g: Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context2025-05-14
OSV
CVE-2025-3909: Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context2025-05-14
CVEList
JavaScript Execution via Spoofed PDF Attachment and file:/// Link2025-05-14

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link2025-05-14
Debian
CVE-2025-3909: thunderbird - Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be ex...2025
Mozilla
Mozilla Foundation Security Advisory 2025-34: CVE-2025-3909
Mozilla
Mozilla Foundation Security Advisory 2025-35: CVE-2025-3909
CVE-2025-3909 — Mozilla Thunderbird vulnerability | cvebase