CVE-2025-2830

Vulnerability

Overview

CVE-2025-2830 is an information disclosure vulnerability in Thunderbird affecting both Linux and Windows platforms. By crafting a malformed file name for an attachment in a multipart message, an attacker can trigger Thunderbird to include a directory listing of /tmp when the user forwards or edits the message as new [1][2]. The root cause is improper handling of malformed attachment filenames, which leads to the unexpected inclusion of file system contents.

Attack

Vector

The attacker sends a specially crafted email with an attachment whose filename is intentionally malformed. No user interaction beyond forwarding or editing the received message is required to trigger the bug. The vulnerability does not require the victim to click on any link; simply forwarding or replying causes the directory listing to be embedded in the new message [1][2]. The impact is rated high (CVSSv3 6.3) because it directly exposes sensitive temporary file information.

Impact

An attacker who exploits this vulnerability can see the names of files and directories in /tmp (or the equivalent temporary directory on Windows). This could reveal temporary files created by other applications, session data, or any information stored in the user's temporary directory. The disclosure is limited to the directory listing and does not include file contents, but the listing alone may leak sensitive metadata such as file names and timestamps [1][2][3].

Mitigation

This vulnerability is fixed in Thunderbird versions 137.0.2 and 128.9.2 [1][2]. Users should update to the latest available version as soon as possible. No workarounds other than updating have been documented.