heise PlusAbo
Anzeige

Thunderbird: HTML mails can reveal access data, update available

Mozilla has released updates for Thunderbird. They plug a security leak in the display of HTML emails.

listen Print view
Warning sign next to Thunderbird program 139.0.2

(Image: heise online / dmk)

2 min. read
Security
By

The Mozilla developers have released updated versions of the Thunderbird mail program. They close a security gap in the processing of HTML emails, which could allow attackers to gain unauthorized access data, among other things.

The Mozilla Foundation has published two security advisories, one for Thunderbird 129.0.2 and one for Thunderbird 128.11.1. Attackers can exploit the vulnerability by using carefully crafted “mailbox:///“ links. According to the vulnerability description, these links can automatically lead to the unsolicited download of PDF files to the desktop or user directory of Thunderbird users without prompting. And this even happens when auto-save is not activated.

Thunderbird gap can reveal access data

This could allow attackers to clog the hard disk with garbage data, the developers write, for example by using “/dev/urandom” under Linux. If malicious actors send carefully crafted emails with such prepared SMB links to potential victims, the display of the email in HTML mode can lead to the transmission of Windows access data.

Videos by heise

The Mozilla programmers restrict that user interaction is necessary to download PDF files through the gap. However, optical obfuscation could hide the download trigger. Simply displaying HTML emails is enough to download external content.

The vulnerability has been assigned the CVE entry CVE-2025-5986, the Enisa lists it under the number EUVD-2025-18099. With a CVSS value of 6.5, it has a risk rating of “medium”. The Mozilla developers, on the other hand, rate the vulnerability as a “high” risk.

Anyone using Thunderbird should check in the version dialog whether the version is already on the bug-fixed versions 128.11.1, 139.0.2 or newer. This may trigger the update process. Linux distributions, on the other hand, distribute the update via their software administration, which is why Linux users should start it and check for updates.

Read also

Two weeks ago, Mozilla also released updates for Thunderbird. They closed a security gap classified as a critical threat.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten