CVE-2025-5986User Interface (UI) Misrepresentation of Critical Information in Mozilla Thunderbird

CWE-451User Interface (UI) Misrepresentation of Critical InformationCWE-400Uncontrolled Resource Consumption11 documents8 sources
Severity
6.5MEDIUMNVD
EPSS
0.6%
top 30.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedJun 11
Latest updateJul 22

Description

A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmozilla/thunderbird135.0139.0.2+1
Debianmozilla/thunderbird< 1:128.12.0esr-1~deb11u1+3

🔴Vulnerability Details

3
OSV
CVE-2025-5986: A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of2025-06-11
CVEList
Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links2025-06-11
GHSA
GHSA-q7fj-77gc-45xq: A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of2025-06-11

📋Vendor Advisories

7
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
thunderbird: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links2025-06-10
Debian
CVE-2025-5986: thunderbird - A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited ...2025
Mozilla
Mozilla Foundation Security Advisory 2025-49: CVE-2025-5986
Mozilla
Mozilla Foundation Security Advisory 2025-35: CVE-2025-5986
CVE-2025-5986 — Mozilla Thunderbird vulnerability | cvebase