cve-2025-5986
Vulnerability from cvelistv5
Published
2025-06-11 12:07
Modified
2025-06-11 13:20
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Summary
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.
References
security@mozilla.orghttps://bugzilla.mozilla.org/buglist.cgi?bug_id=1958580%2C1968012Broken Link
security@mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2025-49/Vendor Advisory
security@mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2025-50/Vendor Advisory
Impacted products
MozillaThunderbird
MozillaThunderbird
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-5986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-11T13:20:09.964885Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-451",
                "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-11T13:20:28.401Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "128.11.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThan": "139.0.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Dario Wei\u00dfer"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user\u0027s desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird \u003c 128.11.1 and Thunderbird \u003c 139.0.2."
            }
          ],
          "value": "A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user\u0027s desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird \u003c 128.11.1 and Thunderbird \u003c 139.0.2."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Unsolicited File Download, Disk Space Exhaustion, and Credential Leakage via mailbox:/// Links",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-11T12:07:50.430Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1958580%2C1968012"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-49/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2025-50/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2025-5986",
    "datePublished": "2025-06-11T12:07:50.430Z",
    "dateReserved": "2025-06-10T20:07:11.178Z",
    "dateUpdated": "2025-06-11T13:20:28.401Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-5986\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2025-06-11T12:15:29.183\",\"lastModified\":\"2025-07-02T16:07:00.620\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user\u0027s desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird \u003c 128.11.1 and Thunderbird \u003c 139.0.2.\"},{\"lang\":\"es\",\"value\":\"Un correo electr\u00f3nico HTML manipulado que utiliza enlaces mailbox:/// puede desencadenar descargas autom\u00e1ticas no solicitadas de archivos .pdf al escritorio o directorio personal del usuario sin previo aviso, incluso con el guardado autom\u00e1tico desactivado. Este comportamiento puede utilizarse para llenar el disco con datos innecesarios (p. ej., usando /dev/urandom en Linux) o para filtrar credenciales de Windows mediante enlaces SMB al visualizar el correo electr\u00f3nico en modo HTML. Si bien se requiere la interacci\u00f3n del usuario para descargar el archivo .pdf, la ofuscaci\u00f3n visual puede ocultar el desencadenador de la descarga. Ver el correo electr\u00f3nico en modo HTML es suficiente para cargar contenido externo. Esta vulnerabilidad afecta a Thunderbird (versi\u00f3n anterior a la 128.11.1) y Thunderbird (versi\u00f3n anterior a la 139.0.2).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-451\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"128.11.1\",\"matchCriteriaId\":\"02A11E50-4C28-475B-B957-B79BD0654056\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"135.0\",\"versionEndExcluding\":\"139.0.2\",\"matchCriteriaId\":\"83C7414D-BCC3-4887-88B9-06E2F62FD328\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/buglist.cgi?bug_id=1958580%2C1968012\",\"source\":\"security@mozilla.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2025-49/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2025-50/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.