Email Client Vulnerability in Thunderbird by Mozilla
CVE-2025-3932

6.5MEDIUM

Key Information:

Vendor: Mozilla
Status: Thunderbird
Vendor: CVE Published:; 14 May 2025

What is CVE-2025-3932?

A vulnerability in Thunderbird allowed attackers to craft emails featuring tracking links masked as attachments. When users attempted to open these attachments, Thunderbird would automatically access the linked content, bypassing configurations intended to block remote content. Mozilla has released patches to prevent access to web pages specified in the X-Mozilla-External-Attachment-URL header, ensuring that users are protected from this exploit in affected versions.

Affected Version(s)

Thunderbird < 128.10.1

Thunderbird < 138.0.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1960412

https://www.mozilla.org/security/advisories/mfsa2025-34/

https://www.mozilla.org/security/advisories/mfsa2025-35/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2025
Vulnerability Reserved
Apr 25, 2025

Credit

Dario Weißer