CVE-2025-5986: Vulnerability in Mozilla Thunderbird
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability was fixed in Thunderbird 128.11.1 and Thunderbird 139.0.2.
AI Analysis
Technical Summary
The vulnerability CVE-2025-5986 affects Mozilla Thunderbird and involves crafted HTML emails containing mailbox:/// links that trigger automatic downloads of .pdf files to user directories without prompting, bypassing auto-save settings. This behavior can be abused to fill disk space with arbitrary data or leak Windows credentials via SMB links. The attack requires the email to be viewed in HTML mode, and although user interaction is needed to initiate the download, visual obfuscation techniques can conceal the trigger. Mozilla fixed this issue in Thunderbird versions 128.11.1 and 139.0.2 as documented in their security advisories MFSA2025-49 and MFSA2025-50.
Potential Impact
The vulnerability allows attackers to cause denial of service by exhausting disk space with unsolicited file downloads and can lead to credential leakage on Windows systems via SMB links. The impact is rated high by Mozilla, with a CVSS score of 6.5 (medium severity). There is no confidentiality or integrity impact directly, but availability is affected due to disk exhaustion, and credential leakage poses a significant security risk.
Mitigation Recommendations
This vulnerability is fixed in Mozilla Thunderbird versions 128.11.1 and 139.0.2. Users and administrators should update to one of these versions or later to remediate the issue. No additional mitigation is required once the update is applied. Patch status is confirmed by the Mozilla advisories MFSA2025-49 and MFSA2025-50.
CVE-2025-5986: Vulnerability in Mozilla Thunderbird
Description
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability was fixed in Thunderbird 128.11.1 and Thunderbird 139.0.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2025-5986 affects Mozilla Thunderbird and involves crafted HTML emails containing mailbox:/// links that trigger automatic downloads of .pdf files to user directories without prompting, bypassing auto-save settings. This behavior can be abused to fill disk space with arbitrary data or leak Windows credentials via SMB links. The attack requires the email to be viewed in HTML mode, and although user interaction is needed to initiate the download, visual obfuscation techniques can conceal the trigger. Mozilla fixed this issue in Thunderbird versions 128.11.1 and 139.0.2 as documented in their security advisories MFSA2025-49 and MFSA2025-50.
Potential Impact
The vulnerability allows attackers to cause denial of service by exhausting disk space with unsolicited file downloads and can lead to credential leakage on Windows systems via SMB links. The impact is rated high by Mozilla, with a CVSS score of 6.5 (medium severity). There is no confidentiality or integrity impact directly, but availability is affected due to disk exhaustion, and credential leakage poses a significant security risk.
Mitigation Recommendations
This vulnerability is fixed in Mozilla Thunderbird versions 128.11.1 and 139.0.2. Users and administrators should update to one of these versions or later to remediate the issue. No additional mitigation is required once the update is applied. Patch status is confirmed by the Mozilla advisories MFSA2025-49 and MFSA2025-50.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mozilla
- Date Reserved
- 2025-06-10T20:07:11.178Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6849756223110031d40fa8ce
Added to database: 6/11/2025, 12:24:02 PM
Last enriched: 4/14/2026, 11:50:52 AM
Last updated: 5/9/2026, 4:33:48 AM
Views: 84
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.