CVE-2025-3909

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 128.10.1 Thunderbird versions prior to 138.0.1

Description: The issue arises from Thunderbird's handling of the X-Mozilla-External-Attachment-URL header, which can be exploited to execute JavaScript in the file:/// context. This is achieved by crafting a nested email attachment with a content type set to application/pdf, causing Thunderbird to incorrectly render it as HTML when opened. As a result, the embedded JavaScript can run without requiring a file download. This behavior is possible because Thunderbird auto-saves the attachment to /tmp and links to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML.

Recommendations: For versions prior to 128.10.1, update to version 128.10.1 or later to resolve the issue. For versions prior to 138.0.1, update to version 138.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the automatic rendering of attachments as HTML until a patch is available. Restrict access to attachments with the application/pdf content type to minimize the risk of exploitation.