Directory Traversal Vulnerability in Thunderbird Email Client by Mozilla
CVE-2025-2830

6.3MEDIUM

Key Information:

Vendor: Mozilla
Status: Thunderbird
Vendor: CVE Published:; 15 April 2025

What is CVE-2025-2830?

A security vulnerability exists in the Thunderbird email client where specially crafted file names in multipart messages can lead to exposure of the directory listing from the /tmp folder when the message is forwarded or edited. This vulnerability affects multiple operating systems, including Linux and Windows, allowing attackers to potentially disclose sensitive information from the user's system. The flaw impacts affected versions prior to 137.0.2 and 128.9.2, and users are encouraged to update to secure versions promptly.

Affected Version(s)

Thunderbird < 137.0.2

Thunderbird < 128.9.2

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1956379

https://www.mozilla.org/security/advisories/mfsa2025-26/

https://www.mozilla.org/security/advisories/mfsa2025-27/

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Mar 26, 2025

Credit

Dario Weißer