CVE-2025-3909
published 2025-05-14CVE-2025-3909: Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested…
high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | thunderbird | < thunderbird 1:128.10.1esr-1~deb12u1 (bookworm) | thunderbird 1:128.10.1esr-1~deb12u1 (bookworm) |
| mozilla | firefox | — | — |
| mozilla | thunderbird | < 128.10.1 | 128.10.1 |
| mozilla | thunderbird | >= 0 < 1:128.10.1esr-1~deb11u1 | 1:128.10.1esr-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:128.10.1esr-1~deb12u1 | 1:128.10.1esr-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:128.10.1esr-1 | 1:128.10.1esr-1 |
| mozilla | thunderbird | >= 0 < 1:128.10.1esr-1 | 1:128.10.1esr-1 |
| mozilla | thunderbird | >= 129.0 < 138.0.1 | 138.0.1 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
osv8.1HIGH