Description
A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog.
*This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.*. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
Published: 2025-04-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File type obfuscation that could lead to malicious files being executed
Action: Patch Immediately
AI Analysis

Impact

A specially crafted filename containing numerous encoded newline characters can hide the true file extension from the download dialog, making it appear as a safe type. The malicious file may deceive users into trusting or executing it, thus compromising system integrity and potentially leading to malware execution.

Affected Systems

Mozilla Thunderbird for Android is affected; other Thunderbird versions are unaffected. Firefox is not impacted. The issue was fixed in Thunderbird version 138, so any installation prior to that applies.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of under 1% shows a low probability of exploitation. Exploitation requires user interaction: a malicious actor must provide a file with an encoded-newline payload that the user downloads, and the file must be opened or executed on the device. The attack vector is inferred to be social engineering through downloads from potentially untrusted sources.

Generated by OpenCVE AI on April 21, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird for Android to version 138 or later.
  • Avoid downloading files from untrusted or unknown sources until the update is installed and verify file extensions before opening.
  • Use a reputable antivirus or malware detection tool to scan downloaded files for suspicious extensions before execution.

Generated by OpenCVE AI on April 21, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12656 A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.* This vulnerability affects Firefox < 138 and Thunderbird < 138.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.* This vulnerability affects Firefox < 138 and Thunderbird < 138. A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.*. This vulnerability was fixed in Firefox 138 and Thunderbird 138.
Title firefox: thunderbird: Specially crafted filename could be used to obscure download type Specially crafted filename could be used to obscure download type

Fri, 09 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Thu, 01 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 138 and Thunderbird < 138. A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Thunderbird for Android. Other versions of Thunderbird are unaffected.* This vulnerability affects Firefox < 138 and Thunderbird < 138.

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Specially crafted filename could be used to obscure download type
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 29 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-451
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description A specially crafted filename containing a large number of encoded newline characters could obscure the file's extension when displayed in the download dialog. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 138 and Thunderbird < 138.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:45.158Z

Reserved: 2025-04-29T13:13:40.209Z

Link: CVE-2025-4086

cve-icon Vulnrichment

Updated: 2025-04-29T15:55:14.131Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:35.267

Modified: 2026-04-13T15:17:00.047

Link: CVE-2025-4086

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-04-29T13:13:40Z

Links: CVE-2025-4086 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses