{"url":"http://public2.vulnerablecode.io/api/packages/477?format=json","purl":"pkg:mozilla/Thunderbird@137.0.2","type":"mozilla","namespace":"","name":"Thunderbird","version":"137.0.2","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"138.0.0","latest_non_vulnerable_version":"151.0.0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/723?format=json","vulnerability_id":"VCID-uycp-1f6n-p7aw","summary":"Thunderbird processes the X-Mozilla-External-Attachment-URL header\nto handle attachments which can be hosted externally. When an\nemail is opened, Thunderbird accesses the specified URL to \ndetermine file size, and navigates to it when the user clicks the\nattachment. Because the URL is not validated or sanitized, it can\nreference internal resources like chrome:// or SMB share file:// links,\npotentially leading to hashed Windows credential leakage and opening the\ndoor to more serious security issues.","references":[{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-26","reference_id":"mfsa2025-26","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-26"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-27","reference_id":"mfsa2025-27","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-27"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/514?format=json","purl":"pkg:mozilla/Thunderbird@128.9.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@128.9.2"},{"url":"http://public2.vulnerablecode.io/api/packages/477?format=json","purl":"pkg:mozilla/Thunderbird@137.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@137.0.2"}],"aliases":["CVE-2025-3522"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uycp-1f6n-p7aw"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Thunderbird@137.0.2"}