Description
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
Published: 2025-05-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Embedded JavaScript
Action: Patch Immediately
AI Analysis

Impact

Thunderbird can incorrectly render a message/rfc822 attachment that claims to be a PDF as HTML. The attachment is auto‑saved to a temporary location and linked through the file:/// protocol. This process allows an embedded JavaScript payload to execute in the context of the mail client without a user‑initiated download. The vulnerability essentially grants an attacker the ability to run code with privileges conferred to the Thunderbird process, compromising confidentiality, integrity, and availability of the affected system. The weakness is mapped to CWE‑290 and CWE‑356, indicating improper authentication and sensitive information exposure through the mishandling of attachment headers.

Affected Systems

Mozilla Thunderbird on all platforms is affected when using session sessions older than Thunderbird 128.10.1 for the standard release and older than 138.0.1 for the long‑term release. The attack can be carried out via any email account that receives a crafted nested attachment; the operating system is irrelevant as the exploit depends on Thunderbird’s internal handling of the X‑Mozilla‑External‑Attachment‑URL header.

Risk and Exploitability

The CVSS score of 8.1 places the vulnerability in the high severity band. The EPSS score of less than 1% indicates a low but non‑zero probability of exploitation in the wild. At present, the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed public exploits. Based on the description, the likely attack vector is an email containing a specially crafted attachment delivered to a user's mailbox; the employer or attacker must send the email and the user must open it for code execution. The exploit does not require elevated privileges beyond those already granted to the user running Thunderbird. The risk is therefore moderate to high for organizations that process sensitive emails and for users who download attachments from unknown or compromised sources.

Generated by OpenCVE AI on April 20, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird to version 128.10.1 or later (standard release) or 138.0.1 or later (long‑term release).
  • If an upgrade is not immediately possible, configure Thunderbird to disable loading of file:/// links or to block automatic rendering of attachments as HTML.
  • Avoid opening nested email attachments from untrusted sources and consider disabling message/rfc822 attachment handling if it is not required for business operations.

Generated by OpenCVE AI on April 20, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4167-1 thunderbird security update
Debian DSA Debian DSA DSA-5921-1 thunderbird security update
EUVD EUVD EUVD-2025-14935 Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1. Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
Title thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link JavaScript Execution via Spoofed PDF Attachment and file:/// Link

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-356

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_tus:8.8

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Tus

Thu, 05 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird

Tue, 03 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
CPEs cpe:/a:redhat:rhel_aus:8.2
Vendors & Products Redhat rhel Aus

Sat, 31 May 2025 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel E4s
Redhat rhel Eus

Wed, 28 May 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 21 May 2025 03:00:00 +0000

Type Values Removed Values Added
References

Fri, 16 May 2025 15:00:00 +0000

Type Values Removed Values Added
Title thunderbird: JavaScript Execution via Spoofed PDF Attachment and file:/// Link
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 15 May 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 May 2025 17:15:00 +0000

Type Values Removed Values Added
Description Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:53.020Z

Reserved: 2025-04-23T17:44:42.650Z

Link: CVE-2025-3909

cve-icon Vulnrichment

Updated: 2025-11-03T19:58:39.208Z

cve-icon NVD

Status : Modified

Published: 2025-05-14T17:15:48.660

Modified: 2026-04-13T15:16:58.560

Link: CVE-2025-3909

cve-icon Redhat

Severity : Important

Publid Date: 2025-05-14T16:56:43Z

Links: CVE-2025-3909 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses