CVE-2025-3932Authentication Bypass Using an Alternate Path or Channel in Mozilla Thunderbird

CWE-288Authentication Bypass Using an Alternate Path or Channel9 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 48.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedMay 14
Latest updateJul 22

Description

It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmozilla/thunderbird129.0138.0.1+1
Debianmozilla/thunderbird< 1:128.10.1esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-jfxg-6gv4-f2gh: It was possible to craft an email that showed a tracking link as an attachment2025-05-14
OSV
CVE-2025-3932: It was possible to craft an email that showed a tracking link as an attachment2025-05-14
CVEList
Tracking Links in Attachments Bypassed Remote Content Blocking2025-05-14

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking2025-05-14
Debian
CVE-2025-3932: thunderbird - It was possible to craft an email that showed a tracking link as an attachment. ...2025
Mozilla
Mozilla Foundation Security Advisory 2025-34: CVE-2025-3932
Mozilla
Mozilla Foundation Security Advisory 2025-35: CVE-2025-3932
CVE-2025-3932 — Mozilla Thunderbird vulnerability | cvebase