Main Vulnerability Database Vulnerabilities #VU107465

Spoofing attack in Mozilla Thunderbird - CVE-2025-3523

Published: April 15, 2025

Vulnerability identifier: #VU107465

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-3523

CWE-ID: CWE-451

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Mozilla

Affected software:
Mozilla Thunderbird

Detailed vulnerability description

The vulnerability allows a remote attacker to perform spoofing attack.

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.

How to mitigate CVE-2025-3523

Install updates from vendor's website.

Sources

https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/
https://bugzilla.mozilla.org/show_bug.cgi?id=1958385
https://www.mozilla.org/en-US/security/advisories/mfsa2025-26/

Spoofing attack in Mozilla Thunderbird - CVE-2025-3523

Detailed vulnerability description

How to mitigate CVE-2025-3523

Sources

Please verify you're human