CVE-2025-5986: 
NixOS vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-5986) was discovered in Mozilla Thunderbird versions prior to 128.11.1 and 139.0.2. The vulnerability, reported by security researcher Dario Weißer, involves the exploitation of mailbox:/// links in HTML emails that can trigger unauthorized PDF downloads (Wiz Analysis).

The vulnerability allows crafted HTML emails using mailbox:/// links to trigger automatic, unsolicited downloads of PDF files to the user's desktop or home directory, bypassing auto-saving settings. The CVSS v3.1 base score is 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The weakness is classified as CWE-451 (User Interface Misrepresentation of Critical Information) (NVD, Wiz Analysis).

The vulnerability can be exploited to fill the disk with garbage data (e.g., using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the PDF file, visual obfuscation techniques can conceal the download trigger. Simply viewing the email in HTML mode is sufficient to load external content (Mozilla Advisory).

Mozilla has addressed this vulnerability by releasing patches in Thunderbird versions 128.11.1 and 139.0.2. Users are strongly advised to upgrade to these or later versions to protect against this security issue (Mozilla Advisory, Mozilla Advisory).