CVE-2025-2830: 
NixOS vulnerability analysis and mitigation

CVE-2025-2830 is a security vulnerability discovered in Mozilla Thunderbird that was disclosed on April 15, 2025. The vulnerability affects Thunderbird versions below 137.0.2 and 128.9.2, impacting both Linux and Windows systems. The issue was reported by security researcher Dario Weißer (Mozilla Advisory).

The vulnerability involves a directory traversal issue where an attacker can manipulate file names for attachments in multipart messages. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). According to CISA's assessment, it has received a CVSS 3.1 base score of 6.3 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. Red Hat's assessment differs slightly, rating it with a CVSS score of 6.1 and vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N (NVD, Red Hat).

When exploited, this vulnerability allows attackers to disclose sensitive information from the victim's system by exposing directory listings of the /tmp directory. The exposure occurs when a maliciously crafted message is forwarded or edited as a new message. The impact is not confined to Linux systems, as similar information disclosure has been confirmed on Windows platforms as well (Mozilla Advisory).

Mozilla has addressed this vulnerability by releasing security updates in Thunderbird version 137.0.2 and Thunderbird ESR 128.9.2. Users are strongly advised to upgrade to these or later versions to mitigate the risk (Mozilla Advisory, Mozilla Advisory).