{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3909", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-04-23T17:44:42.650Z", "datePublished": "2025-05-14T16:56:43.630Z", "dateUpdated": "2026-04-13T14:27:53.020Z"}, "containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.10.1", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "138.0.1", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1."}]}], "title": "JavaScript Execution via Spoofed PDF Attachment and file:/// Link", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1958376"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-34/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-35/"}], "credits": [{"lang": "en", "value": "Dario Wei\u00dfer"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:53.020Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3909", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-16T03:55:44.016748Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-356", "description": "CWE-356 Product UI does not Warn User of Unsafe Actions"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:28:09.659Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:58:39.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:58:39.208Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3909", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-16T03:55:44.016748Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-356", "description": "CWE-356 Product UI does not Warn User of Unsafe Actions"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T14:45:57.239Z"}}], "cna": {"title": "JavaScript Execution via Spoofed PDF Attachment and file:/// Link", "credits": [{"lang": "en", "value": "Dario Wei\u00dfer"}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.10.1", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "138.0.1", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1958376"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-34/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-35/"}], "descriptions": [{"lang": "en", "value": "Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.", "supportingMedia": [{"type": "text/html", "value": "Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:53.020Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3909", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:27:53.020Z", "dateReserved": "2025-04-23T17:44:42.650Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-05-14T16:56:43.630Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "82B93B43-AAD0-4F6F-8022-9842E39D73D6", "versionEndExcluding": "128.10.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AFE1A41-57DD-4532-9F3F-D3E9705868BA", "versionEndExcluding": "138.0.1", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1."}, {"lang": "es", "value": "La gesti\u00f3n que Thunderbird hace del encabezado X-Mozilla-External-Attachment-URL puede explotarse para ejecutar JavaScript en el contexto file:///. Al manipular un archivo adjunto de correo electr\u00f3nico anidado (message/rfc822) y configurar su tipo de contenido como application/pdf, Thunderbird puede representarlo incorrectamente como HTML al abrirlo, lo que permite que el JavaScript incrustado se ejecute sin necesidad de descargar el archivo. Este comportamiento se basa en que Thunderbird guarda autom\u00e1ticamente el archivo adjunto en /tmp y lo enlaza mediante el protocolo file:///, lo que podr\u00eda permitir la ejecuci\u00f3n de JavaScript como parte del HTML. Esta vulnerabilidad afecta a Thunderbird versiones anteriores a la 128.10.1 y a la 138.0.1."}], "id": "CVE-2025-3909", "lastModified": "2026-04-13T15:16:58.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-14T17:15:48.660", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1958376"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-34/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-35/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-356"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:8196", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "thunderbird-0:128.10.1-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-27T00:00:00Z"}, {"advisory": "RHSA-2025:8756", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.11.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-06-10T00:00:00Z"}, {"advisory": "RHSA-2025:8391", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.10.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-06-02T00:00:00Z"}, {"advisory": "RHSA-2025:8507", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.10.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8594", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.10.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:8594", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.10.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:8594", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.10.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:8784", "cpe": "cpe:/a:redhat:rhel_tus:8.8", "package": "thunderbird-0:128.10.1-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date": "2025-06-10T00:00:00Z"}, {"advisory": "RHSA-2025:8784", "cpe": "cpe:/a:redhat:rhel_e4s:8.8", "package": "thunderbird-0:128.10.1-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date": "2025-06-10T00:00:00Z"}, {"advisory": "RHSA-2025:8203", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.10.1-1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-27T00:00:00Z"}, {"advisory": "RHSA-2025:8324", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.10.1-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8326", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.10.1-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8325", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "thunderbird-0:128.10.1-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-05-29T00:00:00Z"}], "bugzilla": {"description": "thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link", "id": "2366283", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366283"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-290", "details": ["Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.", "The Mozilla Foundation's Security Advisory describes the following issue: Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML."], "name": "CVE-2025-3909", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/thunderbird-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2025-05-14T16:56:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3909\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3909\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2025-34/#CVE-2025-3909"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-20T17:09:44.924666+00:00", "value": {"mitigation_remediation": ["Upgrade Thunderbird to version 128.10.1 or later (standard release) or 138.0.1 or later (long\u2011term release).", "If an upgrade is not immediately possible, configure Thunderbird to disable loading of file:/// links or to block automatic rendering of attachments as HTML.", "Avoid opening nested email attachments from untrusted sources and consider disabling message/rfc822 attachment handling if it is not required for business operations."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via Embedded JavaScript"}, "threat_synthesis": {"affected_systems": "Mozilla Thunderbird on all platforms is affected when using session sessions older than Thunderbird 128.10.1 for the standard release and older than 138.0.1 for the long\u2011term release. The attack can be carried out via any email account that receives a crafted nested attachment; the operating system is irrelevant as the exploit depends on Thunderbird\u2019s internal handling of the X\u2011Mozilla\u2011External\u2011Attachment\u2011URL header.", "description_and_impact": "Thunderbird can incorrectly render a message/rfc822 attachment that claims to be a PDF as HTML. The attachment is auto\u2011saved to a temporary location and linked through the file:/// protocol. This process allows an embedded JavaScript payload to execute in the context of the mail client without a user\u2011initiated download. The vulnerability essentially grants an attacker the ability to run code with privileges conferred to the Thunderbird process, compromising confidentiality, integrity, and availability of the affected system. The weakness is mapped to CWE\u2011290 and CWE\u2011356, indicating improper authentication and sensitive information exposure through the mishandling of attachment headers.", "risk_and_exploitability": "The CVSS score of 8.1 places the vulnerability in the high severity band. The EPSS score of less than 1% indicates a low but non\u2011zero probability of exploitation in the wild. At present, the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed public exploits. Based on the description, the likely attack vector is an email containing a specially crafted attachment delivered to a user's mailbox; the employer or attacker must send the email and the user must open it for code execution. The exploit does not require elevated privileges beyond those already granted to the user running Thunderbird. The risk is therefore moderate to high for organizations that process sensitive emails and for users who download attachments from unknown or compromised sources."}}}}, "created": "2026-04-20T17:15:12.550118+00:00", "updated": "2026-04-20T17:15:12.550130+00:00", "vendors": []}