Medium severity6.3NVD Advisory· Published Apr 15, 2025· Updated Jun 17, 2026
CVE-2025-2830
CVE-2025-2830
Description
By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well. This vulnerability was fixed in Thunderbird 137.0.2 and Thunderbird 128.9.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
7cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <128.9.2
- (no CPE)range: before 137.0.2 and 128.9.2
- osv-coords5 versionspkg:rpm/almalinux/thunderbirdpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweedpkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6
< 128.9.2-1.el9_5.alma.1+ 4 more
- (no CPE)range: < 128.9.2-1.el9_5.alma.1
- (no CPE)range: < 128.9.2-150200.8.209.1
- (no CPE)range: < 128.9.2-1.1
- (no CPE)range: < 128.9.2-150200.8.209.1
- (no CPE)range: < 128.9.2-150200.8.209.1
Patches
Vulnerability mechanics
References
3- www.mozilla.org/security/advisories/mfsa2025-26/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-27/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.