Description
By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
Published: 2025-04-15
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Client
AI Analysis

Impact

Thunderbird processes a multipart message containing an attachment with a carefully crafted filename that causes the client to output the /tmp directory listing when the message is forwarded or edited. This presents a clear information exposure flaw, allowing an attacker to read files that the victim can normally access. The underlying weaknesses are directory traversal and lack of validation of attachment names.

Affected Systems

The flaw affects Mozilla Thunderbird versions prior to 137.0.2 on Linux and 128.9.2 on Windows. The CPE list indicates that Red Hat Enterprise Linux releases from 8 to 10 are affected because Thunderbird runs on those platforms, but the issue is inherent to the Thunderbird application and not to the OS itself.

Risk and Exploitability

The CVSS score of 6.3 reveals a moderate severity, and the EPSS score of <1% signals a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, which further indicates that widespread exploitation is not documented. The most probable attack vector is a remote email sent to a victim that includes a malicious attachment; the victim then forwards or edits the message in Thunderbird, triggering the directory listing disclosure.

Generated by OpenCVE AI on April 20, 2026 at 18:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Thunderbird to version 137.0.2 or 128.9.2, the releases that contain the fix for the directory listing bug.
  • If an immediate update is not possible, configure email security controls to block or quarantine messages that contain attachment filenames with relative or traversal sequences, and prohibit editing or forwarding of such messages within the client.
  • Deploy anti‑malware and mailbox filtering solutions that validate attachment names before delivery to Thunderbird, ensuring that any file name containing path traversal components is removed or sanitized before it reaches the application.

Generated by OpenCVE AI on April 20, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-5912-1 thunderbird security update
EUVD EUVD EUVD-2025-10970 By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
Title thunderbird: Information Disclosure of /tmp directory listing Information Disclosure of /tmp directory listing

Wed, 18 Jun 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird

Wed, 14 May 2025 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Thu, 08 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Tus

Wed, 07 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
Vendors & Products Redhat rhel E4s

Tue, 06 May 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
CPEs cpe:/a:redhat:rhel_aus:8.2
Vendors & Products Redhat rhel Aus

Mon, 28 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Sat, 19 Apr 2025 02:00:00 +0000

Type Values Removed Values Added
Title thunderbird: Information Disclosure of /tmp directory listing
Weaknesses CWE-200
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 15 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Description By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:29.507Z

Reserved: 2025-03-26T18:56:39.784Z

Link: CVE-2025-2830

cve-icon Vulnrichment

Updated: 2025-04-15T18:10:31.243Z

cve-icon NVD

Status : Modified

Published: 2025-04-15T15:16:08.957

Modified: 2026-04-13T15:16:55.860

Link: CVE-2025-2830

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-15T15:06:13Z

Links: CVE-2025-2830 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:15:13Z

Weaknesses