Critical Vulnerability Information Vulnerability Overview Announcement Date: March 13, 2025 Impact: High Product: Thunderbird Fixed Version: Thunderbird 128.10.1 CVE-2025-3875: Sender Spoofing via Malformed From Header in Thunderbird Reporter: xh4vm Impact: High Description: Thunderbird’s method of parsing email addresses may allow sender spoofing if the server permits invalid From addresses. For example, if the From header contains an invalid value like “Spoofed Name spoofed@example.com ”, Thunderbird will treat spoofed@example.com as the actual sender address. CVE-2025-3877: Unauthorized File Downloads, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links Reporter: Dario Weißer Impact: High Description: Crafted HTML emails containing mailbox:/// links can trigger automatic, unauthorized .pdf file downloads to the user’s desktop or home directory without any prompt, even if auto-save is disabled. This may lead to disk space exhaustion or leakage of Windows credentials when the email is viewed in HTML mode. User interaction is required to initiate the download, but visual obfuscation can hide the trigger mechanism. CVE-2025-3909: JavaScript Execution via Faked PDF Attachments and file:/// Links Reporter: Dario Weißer Impact: High Description: Thunderbird’s handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in a file:/// context. By nesting email attachments (message/rfc822) and setting their content type to application/pdf, Thunderbird may interpret the attachment as HTML, allowing embedded JavaScript to run without requiring a download. This behavior relies on Thunderbird automatically saving attachments to /tmp and loading them via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML content. CVE-2025-3932: Tracking Links in Attachments Bypass Remote Content Blocking Reporter: Dario Weißer Impact: Low Description: An email can be crafted to display a tracking link as an attachment. If the user attempts to open the attachment, Thunderbird will automatically access the link. Configurations blocking remote content cannot prevent this behavior. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header within emails.