CVE-2025-3522

Severity CVSS v4.0:

Pending analysis

Type:

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Publication date:

15/04/2025

Last modified:

13/04/2026

Description

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 6.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): Low

Base Score 3.x

6.30

Severity 3.x

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:mozilla:thunderbird::::::::		128.9.2 (excluding)
cpe:2.3:a:mozilla:thunderbird::::::::	129.0 (including)	137.0.2 (excluding)

To consult the complete list of CPE names with products and versions, see this page

CVE-2025-3522

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools