#21566 closed enhancement (fixed)
thunderbird-128.10.1esr
| Reported by: | Joe Locash | Owned by: | zeckma |
|---|---|---|---|
| Priority: | high | Milestone: | 12.4 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
What’s Fixed
- Standalone message windows/tabs no longer responded after folder compaction
- Thunderbird could crash when importing Outlook messages
- Visual and UX improvements
Security fixes
https://www.mozilla.org/en-US/security/advisories/mfsa2025-34/
- CVE-2025-3875: Sender Spoofing via Malformed From Header in Thunderbird (high)
- CVE-2025-3877: Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links (high)
- CVE-2025-3909: JavaScript Execution via Spoofed PDF Attachment and file:/// Link (high)
- CVE-2025-3932: Tracking Links in Attachments Bypassed Remote Content Blocking (low)
Change History (5)
comment:1 by , 9 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 9 months ago
| Priority: | elevated → high |
|---|
comment:3 by , 9 months ago
Three of them are rated high, so putting this as high as well.
CVE-2025-3875 allows for spoofing if the From address is invalid. This can be achieved if the server allows this. The actually From address will appear different from what it actually is. Mozilla rates it as high.
CVE-2025-3877 can allow for HTML accessed via mailbox:/// links downloading PDF files. Triggering the downloads requires user input but can be visually obfuscated. Once triggered, it bypasses all users settings and will download no matter what. This can fill the disk with garbage data. On Windows, this can leak SMB credentials. For Linux, it abuses /dev/urandom. Mozilla rates this one high.
CVE-2025-3909, when using nested email attachments and marking it as application/pdf, allows for tricking Thunderbird into loading it as HTML which then executes potential embedded Javascript code without needing to download the file. This process relies on saving the file to /tmp and opening the file via the file:/// prefix link. Mozilla, again, rates it high.
CVE-2025-3932, unlike the three others, is rated as low. If an attachment from an email is downloaded, it could allow for opening a tracking link and would bypass blocking remote content. For instance, if an email was sent by a fake Github email and it had an attachment, the tracking link would be opened by Thunderbird. Again, it's rated as low by Mozilla.
Links to all four CVEs:
comment:4 by , 9 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 36f8c4d7866e23b2313ee232a120aea3e361c5e7.
I am taking this ticket. Me and Douglas agreed to have the SA part be handed off to his backlog while I work on this ticket.