Description
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
Published: 2025-04-15
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI Misrepresentation Leading to Possible Social Engineering
Action: Apply Patch
AI Analysis

Impact

An email containing multiple attachments can include external URLs via the X-Mozilla-External-Attachment-URL header. Thunderbird displays only the last of those URLs as the hover text for every attachment, while the correct URL is used when the attachment is clicked. This visual inconsistency can mislead users into thinking that a safe link is being displayed, potentially causing them to download content from untrusted or malicious sources. The flaw is classified as CWE‑451 – Untrustworthy Implementation of a Safety‑Relevant Function. The impact is primarily social engineering; a user can be tricked into interacting with a harmful attachment, which may compromise confidentiality, integrity, or availability of the user’s machine or data.

Affected Systems

The vulnerability affects the Mozilla Thunderbird email client in all versions prior to Thunderbird 128.9.2 and Thunderbird 137.0.2. No other vendor or product is listed as affected in this report. The specific affected releases are therefore all Thunderbird builds older than the two patched versions, irrespective of platform. No additional products or operating system components are indicated.

Risk and Exploitability

The CVSS score of 6.4 reflects moderate severity. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of analysis, and the issue is not currently listed in CISA’s KEV catalog. Attackers would need to craft an email that targets Thunderbird users and relies on the hover misrepresentation to influence user behavior. Therefore, the risk is primarily driven by user interaction and social engineering rather than automated exploitation.

Generated by OpenCVE AI on April 20, 2026 at 17:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird to version 137.0.2 or later, or to version 128.9.2 or later if using that release line
  • Enable attachment verification or sandboxing features within Thunderbird or the operating system to reduce the impact of malicious attachments
  • Use an email security gateway to filter or neutralize the X‑Mozilla‑External‑Attachment‑URL header in inbound messages

Generated by OpenCVE AI on April 20, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-5912-1 thunderbird security update
EUVD EUVD EUVD-2025-10966 When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2. When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
Title thunderbird: User Interface (UI) Misrepresentation of attachment URL User Interface (UI) Misrepresentation of attachment URL

Fri, 13 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird

Wed, 14 May 2025 03:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Thu, 08 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Tus

Wed, 07 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
Vendors & Products Redhat rhel E4s

Tue, 06 May 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel Eus

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
CPEs cpe:/a:redhat:rhel_aus:8.2
Vendors & Products Redhat rhel Aus

Mon, 28 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Sat, 19 Apr 2025 02:00:00 +0000

Type Values Removed Values Added
Title thunderbird: User Interface (UI) Misrepresentation of attachment URL
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 15 Apr 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Description When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:31.335Z

Reserved: 2025-04-11T15:27:51.919Z

Link: CVE-2025-3523

cve-icon Vulnrichment

Updated: 2025-04-15T17:51:32.228Z

cve-icon NVD

Status : Modified

Published: 2025-04-15T15:16:09.957

Modified: 2026-04-13T15:16:57.847

Link: CVE-2025-3523

cve-icon Redhat

Severity : Low

Publid Date: 2025-04-15T15:06:14Z

Links: CVE-2025-3523 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses