CVE-2025-3932: 
NixOS vulnerability analysis and mitigation

CVE-2025-3932 is a security vulnerability discovered in Mozilla Thunderbird versions prior to 128.10.1 and 138.0.1. The vulnerability was discovered by security researcher Dario Weißer and publicly disclosed on May 13, 2025. The issue allows attackers to bypass remote content blocking through crafted emails containing tracking links disguised as attachments (Mozilla Advisory, NVD).

The vulnerability exploits Thunderbird's handling of the X-Mozilla-External-Attachment-URL header. When an email is crafted to show a tracking link as an attachment, attempting to open the attachment would cause Thunderbird to automatically access the link, even when remote content blocking was enabled. The CVSS 3.1 base score is 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (Wiz, NVD).

The impact of this vulnerability is considered low according to Mozilla's assessment. The primary risk involves potential privacy violations through tracking links that could be accessed without user awareness, bypassing the intended protection of remote content blocking settings (Mozilla Advisory).

Mozilla has addressed this vulnerability by modifying Thunderbird to prevent access to web pages listed in the X-Mozilla-External-Attachment-URL header of emails. Users are advised to upgrade to Thunderbird version 128.10.1 or 138.0.1 or later to receive the fix (Mozilla Advisory, NVD).