Bug 2359793 (CVE-2025-3522) - CVE-2025-3522 thunderbird: Leak of hashed Window credentials via crafted attachment URL
Summary: CVE-2025-3522 thunderbird: Leak of hashed Window credentials via crafted atta...
Keywords:
Status: NEW
Alias: CVE-2025-3522
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-15 16:01 UTC by OSIDB Bzimport
Modified: 2025-05-07 12:55 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:4229 0 None None None 2025-04-28 01:22:51 UTC
Red Hat Product Errata RHSA-2025:4389 0 None None None 2025-04-30 10:30:59 UTC
Red Hat Product Errata RHSA-2025:4512 0 None None None 2025-05-06 07:47:47 UTC
Red Hat Product Errata RHSA-2025:4513 0 None None None 2025-05-06 07:41:58 UTC
Red Hat Product Errata RHSA-2025:4514 0 None None None 2025-05-06 07:55:54 UTC
Red Hat Product Errata RHSA-2025:4617 0 None None None 2025-05-07 05:53:19 UTC
Red Hat Product Errata RHSA-2025:4649 0 None None None 2025-05-07 08:26:46 UTC
Red Hat Product Errata RHSA-2025:4654 0 None None None 2025-05-07 09:06:44 UTC
Red Hat Product Errata RHSA-2025:4665 0 None None None 2025-05-07 12:55:50 UTC

Description OSIDB Bzimport 2025-04-15 16:01:40 UTC 
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to  determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
Comment 1 errata-xmlrpc 2025-04-28 01:22:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:4229 https://access.redhat.com/errata/RHSA-2025:4229
Comment 2 errata-xmlrpc 2025-04-30 10:30:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:4389 https://access.redhat.com/errata/RHSA-2025:4389
Comment 3 errata-xmlrpc 2025-05-06 07:41:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2025:4513 https://access.redhat.com/errata/RHSA-2025:4513
Comment 4 errata-xmlrpc 2025-05-06 07:47:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:4512 https://access.redhat.com/errata/RHSA-2025:4512
Comment 5 errata-xmlrpc 2025-05-06 07:55:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:4514 https://access.redhat.com/errata/RHSA-2025:4514
Comment 6 errata-xmlrpc 2025-05-07 05:53:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2025:4617 https://access.redhat.com/errata/RHSA-2025:4617
Comment 7 errata-xmlrpc 2025-05-07 08:26:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:4649 https://access.redhat.com/errata/RHSA-2025:4649
Comment 8 errata-xmlrpc 2025-05-07 09:06:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2025:4654 https://access.redhat.com/errata/RHSA-2025:4654
Comment 9 errata-xmlrpc 2025-05-07 12:55:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:4665 https://access.redhat.com/errata/RHSA-2025:4665
Note You need to log in before you can comment on or make changes to this bug.