Search for vulnerabilities
Vulnerability details: VCID-y4aa-75av-mub4
Vulnerability ID VCID-y4aa-75av-mub4
Aliases CVE-2025-3909
Summary Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-290 Authentication Bypass by Spoofing
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3909.json
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2025-3909
cvssv3.1 6.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1958376
ssvc Track https://bugzilla.mozilla.org/show_bug.cgi?id=1958376
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2025-34
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2025-35
cvssv3.1 6.5 https://www.mozilla.org/security/advisories/mfsa2025-34/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2025-34/
cvssv3.1 6.5 https://www.mozilla.org/security/advisories/mfsa2025-35/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2025-35/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3909.json
https://api.first.org/data/v1/epss?cve=CVE-2025-3909
https://bugzilla.mozilla.org/show_bug.cgi?id=1958376
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3909
https://www.mozilla.org/security/advisories/mfsa2025-34/
https://www.mozilla.org/security/advisories/mfsa2025-35/
2366283 https://bugzilla.redhat.com/show_bug.cgi?id=2366283
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
CVE-2025-3909 https://nvd.nist.gov/vuln/detail/CVE-2025-3909
mfsa2025-34 https://www.mozilla.org/en-US/security/advisories/mfsa2025-34
mfsa2025-35 https://www.mozilla.org/en-US/security/advisories/mfsa2025-35
RHSA-2025:8196 https://access.redhat.com/errata/RHSA-2025:8196
RHSA-2025:8203 https://access.redhat.com/errata/RHSA-2025:8203
RHSA-2025:8324 https://access.redhat.com/errata/RHSA-2025:8324
RHSA-2025:8325 https://access.redhat.com/errata/RHSA-2025:8325
RHSA-2025:8326 https://access.redhat.com/errata/RHSA-2025:8326
RHSA-2025:8391 https://access.redhat.com/errata/RHSA-2025:8391
RHSA-2025:8507 https://access.redhat.com/errata/RHSA-2025:8507
RHSA-2025:8594 https://access.redhat.com/errata/RHSA-2025:8594
RHSA-2025:8756 https://access.redhat.com/errata/RHSA-2025:8756
RHSA-2025:8784 https://access.redhat.com/errata/RHSA-2025:8784
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-3909.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1958376
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:45:10Z/ Found at https://bugzilla.mozilla.org/show_bug.cgi?id=1958376
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-34/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:45:10Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-34/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-35/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-15T14:45:10Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-35/
Exploit Prediction Scoring System (EPSS)
Percentile 0.02653
EPSS Score 0.00017
Published At May 15, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-05-14T21:39:26.649116+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2025/mfsa2025-34.yml 36.0.0