CVE-2025-3522
Publication date 15 April 2025
Last updated 22 July 2025
Ubuntu priority
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| thunderbird | 25.04 plucky |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 1:128.12.0+build1-0ubuntu0.22.04.1
|
|
| 20.04 LTS focal | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
References
Related Ubuntu Security Notices (USN)
- USN-7663-1
- Thunderbird vulnerabilities
- 22 July 2025