Primary

Context

Mozilla Thunderbird Unsolicited File Download Vulnerability via mailbox:/// Links

Vulnerability

Patched

A vulnerability in Mozilla Thunderbird has been identified, allowing crafted HTML emails to trigger automatic downloads of PDF files to the user's desktop or home directory. This occurs without any prompt, even when auto-saving is disabled. The issue is present in Thunderbird versions prior to 128.10.1 and prior to 138.0.1. The vulnerability can be exploited to fill the disk with unwanted data or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is needed to download the PDF, the download trigger can be visually obscured.

Impact

Exploitation of this vulnerability leads to unauthorized file downloads, potential disk space exhaustion, and leakage of Windows credentials via SMB links.

Remediation

Users can upgrade to Thunderbird versions 128.10.1 or 138.0.1 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mozilla Thunderbird Unsolicited File Download Vulnerability via mailbox:/// Links

Vulnerability

Impact

Remediation

Affected Products

Mozilla Thunderbird

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating