Description
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
Published: 2025-05-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote content exposure via attachment
Action: Apply patch
AI Analysis

Impact

A crafted email can present a tracking URL through the X‑Mozilla‑External‑Attachment‑URL header, causing Thunderbird to automatically request the URL when a user opens the attachment. This bypasses the user’s remote‑content blocking setting, resulting in unintended network traffic and potential disclosure of user or device information. The vulnerability does not provide a path to execute code on the system.

Affected Systems

Mozilla Thunderbird is affected in all releases prior to 128.10.1 and 138.0.1. The impact applies to Thunderbird installations on Red Hat Enterprise Linux 8 and 9, including their extended update streams such as RHEL EUS, RHEL E4S, RHEL AUS, and RHEL TUS.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker must send a malicious email and rely on a user opening the attachment; the client then initiates a background request to the URL, achieving remote content exposure.

Generated by OpenCVE AI on April 22, 2026 at 01:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird to version 128.10.1 or newer, which removes automatic access to URLs contained in the X‑Mozilla‑External‑Attachment‑URL header.
  • Enable the built‑in remote‑content blocking preference in Thunderbird to reduce the risk of similar remote content from other headers or forms.
  • Subscribe to Mozilla security advisories or the distribution’s update channel to receive timely notification of future patches.

Generated by OpenCVE AI on April 22, 2026 at 01:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4167-1 thunderbird security update
Debian DSA Debian DSA DSA-5921-1 thunderbird security update
EUVD EUVD EUVD-2025-14934 It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1. It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
Title thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking Tracking Links in Attachments Bypassed Remote Content Blocking

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_tus:8.8

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Tus

Thu, 05 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird

Tue, 03 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
CPEs cpe:/a:redhat:rhel_aus:8.2
Vendors & Products Redhat rhel Aus

Sat, 31 May 2025 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel E4s
Redhat rhel Eus

Wed, 28 May 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 21 May 2025 03:00:00 +0000

Type Values Removed Values Added
References

Fri, 16 May 2025 15:00:00 +0000

Type Values Removed Values Added
Title thunderbird: Tracking Links in Attachments Bypassed Remote Content Blocking
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 15 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Thu, 15 May 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 May 2025 17:15:00 +0000

Type Values Removed Values Added
Description It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:54.782Z

Reserved: 2025-04-25T12:43:02.149Z

Link: CVE-2025-3932

cve-icon Vulnrichment

Updated: 2025-11-03T19:58:40.582Z

cve-icon NVD

Status : Modified

Published: 2025-05-14T17:15:48.763

Modified: 2026-04-13T15:16:58.747

Link: CVE-2025-3932

cve-icon Redhat

Severity : Low

Publid Date: 2025-05-14T16:56:43Z

Links: CVE-2025-3932 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses