CVE-2025-3909: Vulnerability in Mozilla Thunderbird
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
AI Analysis
Technical Summary
Mozilla Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited by attackers who craft a nested email attachment of type message/rfc822 with a content type set to application/pdf. Thunderbird may mistakenly render this attachment as HTML when opened, enabling embedded JavaScript execution in the file:/// context. This is facilitated by Thunderbird auto-saving the attachment to the /tmp directory and linking to it via the file:/// protocol. The vulnerability allows JavaScript execution without requiring the user to download the attachment explicitly. This issue is tracked as CVE-2025-3909 and was addressed in Thunderbird versions 128.10.1 and 138.0.1 as per Mozilla security advisories MFSA2025-34 and MFSA2025-35.
Potential Impact
Successful exploitation of this vulnerability can lead to execution of arbitrary JavaScript code in the local file context of Thunderbird users, potentially compromising confidentiality and integrity of user data within the application context. The CVSS 3.1 score of 8.1 reflects high impact on confidentiality and integrity with no required privileges and low attack complexity, but user interaction is required to open the crafted attachment. There is no indication of availability impact. No known exploits in the wild have been reported at the time of publication.
Mitigation Recommendations
This vulnerability has been officially fixed by Mozilla in Thunderbird versions 128.10.1 and 138.0.1. Users and administrators should update affected Thunderbird installations to at least these versions to remediate the issue. No additional mitigation steps are required beyond applying the official patches provided by Mozilla.
CVE-2025-3909: Vulnerability in Mozilla Thunderbird
Description
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mozilla Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited by attackers who craft a nested email attachment of type message/rfc822 with a content type set to application/pdf. Thunderbird may mistakenly render this attachment as HTML when opened, enabling embedded JavaScript execution in the file:/// context. This is facilitated by Thunderbird auto-saving the attachment to the /tmp directory and linking to it via the file:/// protocol. The vulnerability allows JavaScript execution without requiring the user to download the attachment explicitly. This issue is tracked as CVE-2025-3909 and was addressed in Thunderbird versions 128.10.1 and 138.0.1 as per Mozilla security advisories MFSA2025-34 and MFSA2025-35.
Potential Impact
Successful exploitation of this vulnerability can lead to execution of arbitrary JavaScript code in the local file context of Thunderbird users, potentially compromising confidentiality and integrity of user data within the application context. The CVSS 3.1 score of 8.1 reflects high impact on confidentiality and integrity with no required privileges and low attack complexity, but user interaction is required to open the crafted attachment. There is no indication of availability impact. No known exploits in the wild have been reported at the time of publication.
Mitigation Recommendations
This vulnerability has been officially fixed by Mozilla in Thunderbird versions 128.10.1 and 138.0.1. Users and administrators should update affected Thunderbird installations to at least these versions to remediate the issue. No additional mitigation steps are required beyond applying the official patches provided by Mozilla.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mozilla
- Date Reserved
- 2025-04-23T17:44:42.650Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec0b3
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 4/14/2026, 11:45:43 AM
Last updated: 5/8/2026, 9:12:04 PM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.