Login Sign Up

CVE-2025-3523

6.4 MEDIUM

📋 TL;DR

This vulnerability in Thunderbird email client causes misleading hover text when emails contain multiple attachments with external links. Only the last link appears when hovering over any attachment, potentially tricking users into downloading malicious content. Affects Thunderbird users on vulnerable versions.

💻 Affected Systems

Products:
  • Mozilla Thunderbird
Versions: Thunderbird < 137.0.2 and Thunderbird < 128.9.2
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All Thunderbird installations on affected versions are vulnerable regardless of configuration.

📦 What is this software?

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

User downloads and executes malware from untrusted source, leading to system compromise, data theft, or ransomware infection.

🟠

Likely Case

User downloads malicious file thinking it's from trusted source, potentially leading to malware infection or phishing credential theft.

🟢

If Mitigated

User notices discrepancy or has security controls preventing execution, limiting impact to failed download attempt.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious email, but email is common attack vector.
🏢 Internal Only: LOW - Primarily affects individual client software, not server infrastructure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to open malicious email and interact with attachment hover text.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 137.0.2 or Thunderbird 128.9.2

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-26/

Restart Required: Yes

Instructions:

1. Open Thunderbird. 2. Go to Help > About Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart Thunderbird after update.

🔧 Temporary Workarounds

Disable external attachment links

all

Configure Thunderbird to block external attachment URLs via X-Mozilla-External-Attachment-URL header

Disable link preview on hover

all

Disable tooltips or hover preview functionality in Thunderbird settings

🧯 If You Can't Patch

  • Train users to verify URLs before clicking by checking status bar or link properties
  • Implement email filtering to block messages with X-Mozilla-External-Attachment-URL headers

🔍 How to Verify

Check if Vulnerable:

Check Thunderbird version in Help > About Thunderbird. If version is below 137.0.2 (ESR 128 below 128.9.2), system is vulnerable.

Check Version:

thunderbird --version

Verify Fix Applied:

After update, verify version shows 137.0.2 or higher (or 128.9.2+ for ESR). Test with safe email containing multiple external attachment links.

📡 Detection & Monitoring

Log Indicators:

  • Multiple X-Mozilla-External-Attachment-URL headers in email logs
  • User reports of misleading link hover text

Network Indicators:

  • Email traffic with multiple external attachment URLs

SIEM Query:

source="thunderbird" AND "X-Mozilla-External-Attachment-URL" count>1

📊 Metadata

CVE ID: CVE-2025-3523
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L
CWE: CWE-451
EPSS Score: 0.3% exploit probability (52.5th percentile)
Published: April 15, 2025
Last Updated: June 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3523, you might also want to check these:

CVE-2025-8043 9.8

This vulnerability involves incorrect URL truncation in Firefox and Thunderbird, which could allow a...

Same vulnerability type (CWE-451)
CVE-2026-2634 9.8

This vulnerability in Firefox for iOS allows malicious scripts to desynchronize the address bar from...

Same vulnerability type (CWE-451)
CVE-2026-0906 9.8

This vulnerability allows attackers to spoof the URL bar (Omnibox) in Google Chrome on Android, pote...

Same vulnerability type (CWE-451)