CVE-2025-5986: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links in Mozilla Thunderbird
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.
AI Analysis
Technical Summary
CVE-2025-5986 is a vulnerability in Mozilla Thunderbird affecting versions prior to 128.11.1 and 139.0.2. The flaw arises from the handling of mailbox:/// links embedded in crafted HTML emails. When a user views such an email in HTML mode, the client can automatically and unsolicitedly download .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. Although user interaction is required to initiate the download of the .pdf file, attackers can use visual obfuscation techniques to conceal the download trigger, increasing the likelihood of exploitation. Beyond unsolicited downloads, this vulnerability can be abused to exhaust disk space by repeatedly downloading large or random data files (e.g., using /dev/urandom on Linux systems), potentially leading to denial of service due to disk exhaustion. Additionally, the vulnerability enables credential leakage on Windows systems via SMB links embedded in the email, which can cause Windows credentials to be sent to an attacker-controlled SMB server when the email is viewed in HTML mode. The vulnerability does not require privileges or prior authentication but does require user interaction for the download trigger, though simply viewing the email in HTML mode is sufficient to load external content that can lead to credential leakage. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality or integrity impact, but high impact on availability due to disk exhaustion potential. This vulnerability is categorized under CWE-451 (User Interface (UI) Misrepresentation), highlighting the risk of deceptive UI elements facilitating exploitation.
Potential Impact
For European organizations, this vulnerability poses several risks. The unsolicited download and disk space exhaustion can disrupt user productivity and potentially cause denial of service on affected endpoints, impacting business continuity. The ability to leak Windows credentials via SMB links is particularly concerning for organizations with Windows-based infrastructure, as it could facilitate lateral movement or unauthorized access if credentials are captured by attackers. Given Thunderbird's popularity as an open-source email client in various sectors including government, education, and enterprises across Europe, exploitation could lead to compromised user accounts and data breaches. The visual obfuscation aspect increases the risk of successful phishing campaigns leveraging this vulnerability. Organizations with limited endpoint protection or lacking email security controls that inspect HTML content may be more vulnerable. The impact is heightened in environments where users frequently receive HTML emails from external or untrusted sources. Although no known exploits are currently reported in the wild, the medium severity and potential for credential theft and denial of service warrant proactive mitigation.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Upgrade Mozilla Thunderbird to version 128.11.1 or 139.0.2 or later, where the vulnerability is patched. 2) Configure Thunderbird to disable automatic loading of remote content in emails, especially for untrusted senders, to prevent automatic triggering of mailbox:/// links. 3) Employ endpoint security solutions capable of detecting and blocking suspicious file downloads and abnormal disk usage patterns to mitigate disk exhaustion attacks. 4) Educate users on the risks of interacting with unexpected or suspicious email content, emphasizing caution with HTML emails containing links or attachments. 5) Deploy network-level protections such as SMB traffic monitoring and blocking outbound SMB connections to untrusted external hosts to prevent credential leakage via SMB links. 6) Implement email gateway filtering to sanitize or block emails containing mailbox:/// links or suspicious HTML content. 7) Regularly audit disk usage on user endpoints to detect early signs of disk space exhaustion. These measures go beyond generic advice by focusing on specific Thunderbird configurations, user awareness tailored to this vulnerability, and network controls targeting SMB credential leakage vectors.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
CVE-2025-5986: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links in Mozilla Thunderbird
Description
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-5986 is a vulnerability in Mozilla Thunderbird affecting versions prior to 128.11.1 and 139.0.2. The flaw arises from the handling of mailbox:/// links embedded in crafted HTML emails. When a user views such an email in HTML mode, the client can automatically and unsolicitedly download .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. Although user interaction is required to initiate the download of the .pdf file, attackers can use visual obfuscation techniques to conceal the download trigger, increasing the likelihood of exploitation. Beyond unsolicited downloads, this vulnerability can be abused to exhaust disk space by repeatedly downloading large or random data files (e.g., using /dev/urandom on Linux systems), potentially leading to denial of service due to disk exhaustion. Additionally, the vulnerability enables credential leakage on Windows systems via SMB links embedded in the email, which can cause Windows credentials to be sent to an attacker-controlled SMB server when the email is viewed in HTML mode. The vulnerability does not require privileges or prior authentication but does require user interaction for the download trigger, though simply viewing the email in HTML mode is sufficient to load external content that can lead to credential leakage. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality or integrity impact, but high impact on availability due to disk exhaustion potential. This vulnerability is categorized under CWE-451 (User Interface (UI) Misrepresentation), highlighting the risk of deceptive UI elements facilitating exploitation.
Potential Impact
For European organizations, this vulnerability poses several risks. The unsolicited download and disk space exhaustion can disrupt user productivity and potentially cause denial of service on affected endpoints, impacting business continuity. The ability to leak Windows credentials via SMB links is particularly concerning for organizations with Windows-based infrastructure, as it could facilitate lateral movement or unauthorized access if credentials are captured by attackers. Given Thunderbird's popularity as an open-source email client in various sectors including government, education, and enterprises across Europe, exploitation could lead to compromised user accounts and data breaches. The visual obfuscation aspect increases the risk of successful phishing campaigns leveraging this vulnerability. Organizations with limited endpoint protection or lacking email security controls that inspect HTML content may be more vulnerable. The impact is heightened in environments where users frequently receive HTML emails from external or untrusted sources. Although no known exploits are currently reported in the wild, the medium severity and potential for credential theft and denial of service warrant proactive mitigation.
Mitigation Recommendations
European organizations should implement the following specific mitigations: 1) Upgrade Mozilla Thunderbird to version 128.11.1 or 139.0.2 or later, where the vulnerability is patched. 2) Configure Thunderbird to disable automatic loading of remote content in emails, especially for untrusted senders, to prevent automatic triggering of mailbox:/// links. 3) Employ endpoint security solutions capable of detecting and blocking suspicious file downloads and abnormal disk usage patterns to mitigate disk exhaustion attacks. 4) Educate users on the risks of interacting with unexpected or suspicious email content, emphasizing caution with HTML emails containing links or attachments. 5) Deploy network-level protections such as SMB traffic monitoring and blocking outbound SMB connections to untrusted external hosts to prevent credential leakage via SMB links. 6) Implement email gateway filtering to sanitize or block emails containing mailbox:/// links or suspicious HTML content. 7) Regularly audit disk usage on user endpoints to detect early signs of disk space exhaustion. These measures go beyond generic advice by focusing on specific Thunderbird configurations, user awareness tailored to this vulnerability, and network controls targeting SMB credential leakage vectors.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mozilla
- Date Reserved
- 2025-06-10T20:07:11.178Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6849756223110031d40fa8ce
Added to database: 6/11/2025, 12:24:02 PM
Last enriched: 7/12/2025, 6:01:53 AM
Last updated: 8/16/2025, 12:49:50 AM
Views: 17
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.