CVE-2025-3522

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 137.0.2 Thunderbird versions prior to 128.9.2

Description The issue arises from Thunderbird's handling of the X-Mozilla-External-Attachment-URL header, which allows for external attachments. When an email is opened, Thunderbird accesses the specified URL to determine file size and navigates to it when the user clicks the attachment. Since the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links. This potentially leads to hashed Windows credential leakage and opens the door to more serious security issues.

Recommendations For versions prior to 137.0.2, update to version 137.0.2 or later. For versions prior to 128.9.2, update to version 128.9.2 or later. As a temporary workaround, consider restricting access to external attachments until a patch is applied.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

ALSA-2025:4229

ALSA-2025:4649

ALSA-2025:7435

ALSA-2025:7507

ALT-PU-2025-5887

ALT-PU-2025-7695

BDU:2025-06555

CESA-2025_4649

CVE-2025-3522

DLA-4167-1

DSA-5912-1

INFSA-2025_4229

INFSA-2025_4649

INFSA-2025_7435

OESA-2025-1835

OPENSUSE-SU-2025:15000-1

OPENSUSE-SU-2025_1366-1

RHSA-2025:4229

RHSA-2025:4389

RHSA-2025:4512

RHSA-2025:4513

RHSA-2025:4514

RHSA-2025:4617

RHSA-2025:4649

RHSA-2025:4654

RHSA-2025:4665

RHSA-2025:7435

RHSA-2025:7507

RHSA-2025_4229

RHSA-2025_4649

RHSA-2025_7435

SUSE-SU-2025:1366-1

USN-7663-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

CVE-2025-3522

Weakness Enumeration

Related Identifiers

Affected Products

References · 208