Description
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
Published: 2025-04-15
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Hashed Windows Credentials
Action: Patch Immediately
AI Analysis

Impact

Thunderbird uses the X-Mozilla-External-Attachment-URL header to obtain attachments that can be hosted elsewhere. When a message is opened, the client connects to the URL to determine file size and later downloads the attachment when the user clicks it. Because the URL is not validated or sanitized, an attacker can supply a reference to internal resources such as chrome:// or SMB share file:// links. In Windows environments, this leads to the leakage of hashed credentials, which could enable further attacks. The weakness falls under CWE-1220 (Data Leakage) and CWE-601 (Open Redirect).

Affected Systems

Mozilla Thunderbird email client versions prior to 137.0.2 and 128.9.2. Any installation of those earlier releases that processes the X-Mozilla-External-Attachment-URL header is potentially vulnerable. The issue is not specific to a particular operating system but the credential leakage impact applies to Windows-based Thunderbird clients.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity vulnerability, while the EPSS score of <1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit this flaw by sending a crafted email containing the vulnerable header; the victim must open the message for the client to access the URL and leak credentials. Because the flaw requires user interaction and is limited to the Thunderbird client, the overall risk is moderate, but it can be stepping stone to more serious exploits if the attacker gains additional footholds.

Generated by OpenCVE AI on April 20, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Thunderbird to 137.0.2 or a later patch series that includes the fix; apply all available security updates for the client.
  • If updating is not immediately possible, configure the client or email gateway to ignore or block the X-Mozilla-External-Attachment-URL header so that external attachment URLs are not processed.
  • Apply email filtering rules to reject or quarantine any message that contains the X-Mozilla-External-Attachment-URL header or references external resources, reducing the risk of credential leakage.

Generated by OpenCVE AI on April 20, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-5912-1 thunderbird security update
EUVD EUVD EUVD-2025-10965 Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
Title thunderbird: Leak of hashed Window credentials via crafted attachment URL Leak of hashed Window credentials via crafted attachment URL

Wed, 18 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird

Wed, 14 May 2025 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Thu, 08 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Tus

Wed, 07 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
Vendors & Products Redhat rhel E4s

Tue, 06 May 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
CPEs cpe:/a:redhat:rhel_aus:8.2
Vendors & Products Redhat rhel Aus

Mon, 28 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Sat, 19 Apr 2025 02:00:00 +0000

Type Values Removed Values Added
Title thunderbird: Leak of hashed Window credentials via crafted attachment URL
Weaknesses CWE-1220
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 15 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-601
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Tue, 15 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Description Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:27.731Z

Reserved: 2025-04-11T15:23:30.875Z

Link: CVE-2025-3522

cve-icon Vulnrichment

Updated: 2025-04-15T19:02:33.423Z

cve-icon NVD

Status : Modified

Published: 2025-04-15T15:16:09.877

Modified: 2026-04-13T15:16:57.657

Link: CVE-2025-3522

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-15T15:06:13Z

Links: CVE-2025-3522 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses