CVE-2025-3932

It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

Published: May 14, 2025
Updated: May 15, 2025
CVE: CVE-2025-3932
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
mozilla / thunderbird	-	128.10.1
mozilla / thunderbird	129.0	138.0.1

https://bugzilla.mozilla.org/show_bug.cgi?id=1960412
https://www.mozilla.org/security/advisories/mfsa2025-34/
https://www.mozilla.org/security/advisories/mfsa2025-35/

Vulnerability Database

289,599

CVE-2025-3932