CVE-2025-3523: Vulnerability in Mozilla Thunderbird
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
AI Analysis
Technical Summary
The vulnerability CVE-2025-3523 in Mozilla Thunderbird involves incorrect display of attachment URLs when multiple attachments with external links are present. Specifically, the hover tooltip for attachments shows only the last URL from the X-Mozilla-External-Attachment-URL header regardless of which attachment is hovered over. This UI misrepresentation may trick users into believing they are downloading from a trusted source when the hover text is misleading. The actual link used on click remains correct. Mozilla fixed this issue in Thunderbird 137.0.2 and Thunderbird ESR 128.9.2.
Potential Impact
The vulnerability can cause user confusion by displaying incorrect hover text for attachment URLs, potentially leading users to download content from untrusted or malicious sources. While the actual link clicked is correct, the misleading UI increases the risk of social engineering attacks. The CVSS score is 6.4 (medium severity), reflecting low confidentiality impact but high integrity impact and low availability impact.
Mitigation Recommendations
This vulnerability has been fixed by Mozilla in Thunderbird 137.0.2 and Thunderbird ESR 128.9.2. Users and administrators should update to these versions or later to remediate the issue. No additional mitigation steps are required as the fix is officially available.
CVE-2025-3523: Vulnerability in Mozilla Thunderbird
Description
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2025-3523 in Mozilla Thunderbird involves incorrect display of attachment URLs when multiple attachments with external links are present. Specifically, the hover tooltip for attachments shows only the last URL from the X-Mozilla-External-Attachment-URL header regardless of which attachment is hovered over. This UI misrepresentation may trick users into believing they are downloading from a trusted source when the hover text is misleading. The actual link used on click remains correct. Mozilla fixed this issue in Thunderbird 137.0.2 and Thunderbird ESR 128.9.2.
Potential Impact
The vulnerability can cause user confusion by displaying incorrect hover text for attachment URLs, potentially leading users to download content from untrusted or malicious sources. While the actual link clicked is correct, the misleading UI increases the risk of social engineering attacks. The CVSS score is 6.4 (medium severity), reflecting low confidentiality impact but high integrity impact and low availability impact.
Mitigation Recommendations
This vulnerability has been fixed by Mozilla in Thunderbird 137.0.2 and Thunderbird ESR 128.9.2. Users and administrators should update to these versions or later to remediate the issue. No additional mitigation steps are required as the fix is officially available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mozilla
- Date Reserved
- 2025-04-11T15:27:51.919Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.mozilla.org/security/advisories/mfsa2025-26/","vendor":"Mozilla"},{"url":"https://www.mozilla.org/security/advisories/mfsa2025-27/","vendor":"Mozilla"}]
Threat ID: 69dd057b82d89c981f0174eb
Added to database: 4/13/2026, 3:02:19 PM
Last enriched: 4/13/2026, 3:17:53 PM
Last updated: 4/13/2026, 5:15:40 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.