CVE-2025-3932: It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird...
Description
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Classification
CVE ID: CVE-2025-3932
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Problem Types
Tracking Links in Attachments Bypassed Remote Content BlockingAffected Products
Vendor: Mozilla
Product: Thunderbird
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.03% (probability of being exploited)
EPSS Percentile: 8.49% (scored less or equal to compared to others)
EPSS Date: 2025-06-12 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3932https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
https://www.mozilla.org/security/advisories/mfsa2025-34/
https://www.mozilla.org/security/advisories/mfsa2025-35/