{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-3522", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-04-11T15:23:30.875Z", "datePublished": "2025-04-15T15:06:13.599Z", "dateUpdated": "2025-04-15T19:05:13.896Z"}, "containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "137.0.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "128.9.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2."}]}], "problemTypes": [{"descriptions": [{"description": "Leak of hashed Window credentials via crafted attachment URL", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955372"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-26/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-27/"}], "credits": [{"lang": "en", "value": "Dario Wei\u00dfer"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-04-15T15:06:13.599Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-601", "lang": "en", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-15T18:49:37.244746Z", "id": "CVE-2025-3522", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T19:05:13.896Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3522", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-15T18:49:37.244746Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601 URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T19:02:33.423Z"}}], "cna": {"credits": [{"lang": "en", "value": "Dario Wei\u00dfer"}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "137.0.2", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.9.2", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955372"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-26/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-27/"}], "descriptions": [{"lang": "en", "value": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.", "supportingMedia": [{"type": "text/html", "value": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Leak of hashed Window credentials via crafted attachment URL"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-04-15T15:06:13.599Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3522", "state": "PUBLISHED", "dateUpdated": "2025-04-15T19:05:13.896Z", "dateReserved": "2025-04-11T15:23:30.875Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-04-15T15:06:13.599Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "D11A3908-71D7-4967-8029-0D4DD57F384C", "versionEndExcluding": "128.9.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "971D9339-D135-4B63-A4DA-E333080DA5E6", "versionEndExcluding": "137.0.2", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2."}, {"lang": "es", "value": "Thunderbird procesa el encabezado X-Mozilla-External-Attachment-URL para gestionar los archivos adjuntos alojados externamente. Al abrir un correo electr\u00f3nico, Thunderbird accede a la URL especificada para determinar el tama\u00f1o del archivo y la accede cuando el usuario hace clic en el archivo adjunto. Dado que la URL no est\u00e1 validada ni depurada, puede hacer referencia a recursos internos como enlaces a chrome:// o a recursos compartidos SMB file://, lo que podr\u00eda provocar una fuga de credenciales de Windows con hash y dar lugar a problemas de seguridad m\u00e1s graves. Esta vulnerabilidad afecta a Thunderbird (versi\u00f3n anterior a la 137.0.2) y Thunderbird (versi\u00f3n anterior a la 128.9.2)."}], "id": "CVE-2025-3522", "lastModified": "2025-06-18T13:26:04.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-15T15:16:09.877", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1955372"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-26/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-27/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7507", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "thunderbird-0:128.10.0-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:4649", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.9.2-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4389", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.9.2-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-04-30T00:00:00Z"}, {"advisory": "RHSA-2025:4654", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.9.2-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4654", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:128.9.2-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4654", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:128.9.2-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4665", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.9.2-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4665", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.9.2-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4665", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.9.2-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4617", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:128.9.2-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-05-07T00:00:00Z"}, {"advisory": "RHSA-2025:4229", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.9.2-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-04-28T00:00:00Z"}, {"advisory": "RHSA-2025:7435", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.10.0-1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:4514", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.9.2-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4513", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.9.2-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4512", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "thunderbird-0:128.9.2-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-05-06T00:00:00Z"}], "bugzilla": {"description": "thunderbird: Leak of hashed Window credentials via crafted attachment URL", "id": "2359793", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359793"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-1220", "details": ["Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2."], "name": "CVE-2025-3522", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-15T15:06:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3522\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3522\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1955372\nhttps://www.mozilla.org/security/advisories/mfsa2025-26/\nhttps://www.mozilla.org/security/advisories/mfsa2025-27/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{}