CVE-2025-5986

A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1958580%2C1968012	Broken Link
https://www.mozilla.org/security/advisories/mfsa2025-49/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-50/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:thunderbird:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*

History

02 Jul 2025, 16:07

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-11 12:15

Updated : 2025-07-02 16:07

NVD link : CVE-2025-5986

Mitre link : CVE-2025-5986

CVE.ORG link : CVE-2025-5986

JSON object : View

Products Affected

mozilla

thunderbird

CWE

CWE-451

User Interface (UI) Misrepresentation of Critical Information

{"id": "CVE-2025-5986", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-06-11T12:15:29.183", "references": [{"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1958580%2C1968012", "tags": ["Broken Link"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-49/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-50/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-451"}]}], "descriptions": [{"lang": "en", "value": "A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2."}, {"lang": "es", "value": "Un correo electr\u00f3nico HTML manipulado que utiliza enlaces mailbox:/// puede desencadenar descargas autom\u00e1ticas no solicitadas de archivos .pdf al escritorio o directorio personal del usuario sin previo aviso, incluso con el guardado autom\u00e1tico desactivado. Este comportamiento puede utilizarse para llenar el disco con datos innecesarios (p. ej., usando /dev/urandom en Linux) o para filtrar credenciales de Windows mediante enlaces SMB al visualizar el correo electr\u00f3nico en modo HTML. Si bien se requiere la interacci\u00f3n del usuario para descargar el archivo .pdf, la ofuscaci\u00f3n visual puede ocultar el desencadenador de la descarga. Ver el correo electr\u00f3nico en modo HTML es suficiente para cargar contenido externo. Esta vulnerabilidad afecta a Thunderbird (versi\u00f3n anterior a la 128.11.1) y Thunderbird (versi\u00f3n anterior a la 139.0.2)."}], "lastModified": "2025-07-02T16:07:00.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "02A11E50-4C28-475B-B957-B79BD0654056", "versionEndExcluding": "128.11.1"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "83C7414D-BCC3-4887-88B9-06E2F62FD328", "versionEndExcluding": "139.0.2", "versionStartIncluding": "135.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}