CVE-2025-3523: 
Mozilla Thunderbird vulnerability analysis and mitigation

CVE-2025-3523 is a user interface misrepresentation vulnerability discovered in Mozilla Thunderbird that affects versions prior to 137.0.2 and 128.9.2. The vulnerability was disclosed on April 15, 2025, and was reported by security researcher Dario Weißer (Mozilla Advisory).

The vulnerability occurs when an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header. The issue manifests as a UI misrepresentation where only the last link is displayed when hovering over any attachment, even though the correct link is used when clicked. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L. It is classified under CWE-451 (User Interface Misrepresentation of Critical Information) (NVD).

The vulnerability could potentially trick users into downloading content from untrusted sources due to the misleading hover text displayed for attachments. While the actual link used when clicking is correct, the misrepresentation of the link during hover could lead to user confusion and potential security risks (Mozilla Advisory).

The vulnerability has been patched in Thunderbird versions 137.0.2 and 128.9.2. Users are advised to update to these or later versions to mitigate the risk. The fix addresses the UI misrepresentation issue in the attachment hover text functionality (Mozilla Advisory).