CVE-2025-3909 is a vulnerability in Mozilla Thunderbird's email client that allows remote attackers to execute JavaScript code in the local file context (file:///) by exploiting the way Thunderbird processes the X-Mozilla-External-Attachment-URL header. Specifically, an attacker crafts a nested email attachment of type message/rfc822 containing a sub-attachment with a content type set to application/pdf. Thunderbird incorrectly renders this PDF attachment as HTML when opened, rather than as a PDF document. This misinterpretation enables embedded JavaScript within the attachment to execute in the file:/// context. The vulnerability leverages Thunderbird's behavior of auto-saving attachments to the /tmp directory and linking to them using the file:/// protocol. Because the JavaScript runs locally, it can potentially access local resources or perform actions within the scope allowed by the file:/// context, which may lead to confidentiality and integrity impacts. Notably, exploitation does not require any user interaction such as downloading or opening files manually, nor does it require prior authentication. The CVSS 3.1 score of 6.5 reflects the ease of remote exploitation without privileges or user interaction, but with limited impact on confidentiality and integrity, and no impact on availability. This vulnerability affects Thunderbird versions prior to 128.10.1 and 138.0.1, and no patches were linked at the time of disclosure. No known exploits have been reported in the wild, but the vulnerability presents a realistic risk for phishing or targeted email attacks that could bypass typical attachment security measures.

For European organizations, this vulnerability poses a risk primarily through spear-phishing or targeted email campaigns that exploit Thunderbird's attachment handling. Successful exploitation could lead to unauthorized JavaScript execution in the local file context, potentially allowing attackers to read or manipulate local files accessible via file:/// URLs, steal sensitive information, or perform actions that compromise email client integrity. While the impact on availability is negligible, confidentiality and integrity of local data could be affected. Organizations relying heavily on Thunderbird for email communications, especially those in sectors with high email threat exposure such as finance, government, and critical infrastructure, may face increased risk. The vulnerability's exploitation without user interaction increases its threat potential, particularly in environments where users are less security-aware or where email filtering is insufficient. Given Thunderbird's popularity in Europe, especially in government and open-source friendly environments, the risk is notable. However, the lack of known exploits in the wild and the medium severity rating suggest the threat is moderate but should be addressed promptly to prevent escalation.

1. Update Thunderbird to versions 128.10.1 or 138.0.1 or later as soon as patches become available to eliminate the vulnerability. 2. Until patches are applied, implement strict email filtering rules to block or quarantine emails containing nested message/rfc822 attachments or suspicious PDF attachments with unusual headers. 3. Disable or restrict the handling of the X-Mozilla-External-Attachment-URL header if possible via Thunderbird configuration or enterprise policies. 4. Educate users to be cautious with unexpected or suspicious email attachments, even if they appear as PDFs, and to report unusual email behavior. 5. Employ endpoint security solutions that monitor and restrict script execution from local file contexts, especially in temporary directories like /tmp. 6. Monitor email gateway logs and client telemetry for unusual attachment patterns or attempts to exploit this vulnerability. 7. Consider deploying sandboxing or application control measures to limit the impact of any JavaScript execution originating from email clients. 8. Coordinate with IT and security teams to ensure rapid incident response capability in case exploitation attempts are detected.