CVE-2025-3522: 
NixOS vulnerability analysis and mitigation

CVE-2025-3522 is a high-impact security vulnerability discovered in Mozilla Thunderbird that affects versions prior to 137.0.2 and 128.9.2. The vulnerability was reported by security researcher Dario Weißer and publicly disclosed on April 15, 2025. The issue exists in how Thunderbird processes the X-Mozilla-External-Attachment-URL header for handling external attachments (Mozilla Advisory, NVD).

The vulnerability stems from Thunderbird's handling of the X-Mozilla-External-Attachment-URL header used for external attachments. When an email containing such an attachment is opened, Thunderbird automatically accesses the specified URL to determine the file size and later navigates to it when the user clicks the attachment. The core issue is that the URL is neither validated nor sanitized, allowing it to reference internal resources including chrome:// or SMB share file:// links. The vulnerability has received a CVSS 3.1 base score of 7.4 from Red Hat, indicating high severity (Red Hat).

The primary impact of this vulnerability is the potential leakage of hashed Windows credentials. When an attacker crafts a malicious email with specifically formatted external attachment URLs, they can trigger automatic connections to controlled SMB shares, leading to the exposure of the victim's hashed Windows credentials. This credential leakage could potentially open doors to more serious security compromises (Mozilla Advisory).

Mozilla has addressed this vulnerability by releasing security updates in Thunderbird version 137.0.2 and Thunderbird ESR 128.9.2. Users are strongly advised to update their Thunderbird installations to these or later versions to mitigate the risk (Mozilla Advisory, Mozilla ESR Advisory).