CVE-2025-3909: 
NixOS vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-3909) was discovered in Mozilla Thunderbird versions prior to 128.10.1 and 138.0.1. The vulnerability was disclosed on May 14, 2025, and involves Thunderbird's handling of the X-Mozilla-External-Attachment-URL header, which can be exploited to execute JavaScript in the file:/// context (Wiz Report, Mozilla Advisory).

The vulnerability stems from Thunderbird's improper handling of nested email attachments. An attacker can craft a message/rfc822 attachment and set its content type to application/pdf, which Thunderbird incorrectly renders as HTML when opened. The application auto-saves the attachment to the /tmp directory and creates a link via the file:/// protocol, enabling JavaScript execution within the HTML context without requiring a file download. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N and is classified under CWE-290 (Authentication Bypass by Spoofing) (Wiz Report, NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the file:/// context within Thunderbird. This could potentially lead to unauthorized access to local files, data theft, and other malicious activities that JavaScript can perform within the local file system context (Mozilla Advisory).

Mozilla has released security patches in Thunderbird versions 128.10.1 and 138.0.1 to address this vulnerability. Users are strongly advised to update to these latest versions. The fix prevents the improper rendering of PDF attachments as HTML and blocks JavaScript execution via the file:/// protocol in this context (Mozilla Advisory, Mozilla Advisory).