Listen to this Post
How the CVE Works
CVE-2025-3523 exploits Thunderbird’s handling of email attachments with external links. When an email contains multiple attachments with `X-Mozilla-External-Attachment-URL` headers, Thunderbird only displays the last link in the hover preview for all attachments. Although the correct URL is fetched upon clicking, the misleading hover text can deceive users into believing they are accessing a trusted source, potentially leading to malicious downloads. This affects Thunderbird versions below 137.0.2 and 128.9.2.
DailyCVE Form
Platform: Thunderbird
Version: <137.0.2, <128.9.2
Vulnerability: UI Misleading Hover
Severity: Medium
Date: 2025-04-15
Prediction: Patch expected by 2025-07-15
What Undercode Say
grep -r "X-Mozilla-External-Attachment-URL" /usr/lib/thunderbird/ curl -I "X-Mozilla-External-Attachment-URL: malicious.com"
How Exploit
1. Craft email with multiple attachments.
2. Set conflicting `X-Mozilla-External-Attachment-URL` headers.
3. Send to victim—hover shows incorrect link.
Protection from this CVE
- Update to Thunderbird ≥137.0.2 or ≥128.9.2.
- Disable external link previews in settings.
Impact
User deception leading to malware download or phishing.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
