CVE-2025-2830

NameCVE-2025-2830
DescriptionBy crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
thunderbird (PTS)bullseye1:115.12.0-1~deb11u1vulnerable
bullseye (security)1:128.9.0esr-1~deb11u1vulnerable
bookworm1:128.8.0esr-1~deb12u1vulnerable
bookworm (security)1:128.9.0esr-1~deb12u1vulnerable
sid, trixie1:128.9.0esr-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
thunderbirdsource(unstable)(unfixed)

Notes

[bookworm] - thunderbird <postponed> (Fix along with May security release)
https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/#CVE-2025-2830
Search for package or bug name: Reporting problems