Thunderbird Stable Releases

Mozilla Thunderbird v136.0.1 stable has been released. (18-March-2025)

Home | Release Notes | Download Thunderbird in your language |

Spoiler

What’s Fixed


fixed

Thunderbird could crash during shutdown if a search was still active.


fixed

Failed news message send could close the compose window unexpectedly.

 

Although High Impact Security Advisories have been published for the Thunderbird Nebula (137.0) and Thunderbird ESR (128.9.0) editions, as of the time of this posting, the actual releases for Thunderbird Nebula (137.0) are absent from their release repository.

Reference:

Security Vulnerabilities fixed in Thunderbird ESR 128.9
Security Vulnerabilities fixed in Thunderbird 137

HTH

 

Mozilla Thunderbird v137.0 stable has been released. (01-April-2025)

Home | Release Notes | Release Repository and Hashes | Auto update or Download Thunderbird in your language |

Spoiler

What’s Changed

changed

File names are now used when storing mail folders (Windows only).


changed

Disable Linux system tray icon until it gains functionality

What’s Fixed

fixed

In-app notifications did not display correctly in high contrast mode.


fixed

Repair folder did not fix mbox files produced on macOS before Thunderbird 1.0.


fixed

Edit menu entries missing when group header selected in “Grouped by sort” view.


fixed

IMAP folder “Undelete” performed “Delete” when mixed messages were selected.


fixed

In RSS feeds, the space bar did not scroll the message like it did in emails.


fixed

Slow performance opening an .eml file in a profile with many folders.


fixed

Threaded search view was not updated correctly when sorted by date received.


fixed

Line spacing changed unexpectedly in the message list with the default font size.


fixed

Saved message list selection was discarded when user made a new selection.


fixed

Replying from local or unified folders failed when the message pane was hidden.


fixed

Message security panel strings were used in the wrong places.


fixed

Importing an OpenPGP public key with whitespace failed.


fixed

Unable to open attached signed OpenPGP .eml message.


fixed

Right-clicking “Decrypt and Save As…” on an attachment file failed.


fixed

Searching during shutdown could cause crash.


fixed

Failed news message sending could close the compose window unexpectedly.


fixed

Having a corrupt address book database prevented sending mail.


fixed

Forwarding messages as attachments could use the wrong MIME type.


fixed

Two-factor auth via text or email did not work with Office 365 using Oauth2.


fixed

Account settings menu could be loaded twice.


fixed

No gap existed between Back and Forward buttons in the Feed Account Wizard dialog.


fixed

Thunderbird could crash when importing mail


fixed

Unable to auto-discover Address Book on Radicale server.


fixed

Mark-Of-The-Web was not applied to attachments saved via drag and drop.


fixed

Some messages could not be scrolled due to hidden overflows in inline styles.


fixed

Clicking a 'mid:' link could clear the thread pane and cause errors.


fixed

Performance regressed when moving/copying messages on Windows.


fixed

Automatic compact did not attempt to compact all folders when error encountered.


fixed

Slow performance when moving bulk messages from IMAP to local.


fixed

Cross posting news articles was not possible if newsgroups on different servers.


fixed

IRC channel was not visible after restart.


fixed

Unable to view the full certificate chain from the “View Signature” button.


fixed

Visual and UX improvements


fixed

Security fixes

 

Mozilla Thunderbird Nebula v137.0.1 stable has been released. (04-April-2025)

Home | Release Notes | Release Repository and Hashes | Auto update or Download Thunderbird in your language |

Spoiler

What’s Fixed


fixed

Added delay to built-in notifications when a new profile is created in offline mode.

 

Mozilla Thunderbird Nebula v137.0.2 stable has been released. (15-April-2025)

Home | Release Notes | Release Repository and Hashes | Auto update or Download Thunderbird in your language |

Spoiler

fixed

Thunderbird could crash on startup when creating a Linux system tray icon


fixed

Security fixes

Spoiler

Mozilla Foundation Security Advisory 2025-26
Security Vulnerabilities fixed in Thunderbird 137.0.2

Announced
April 15, 2025
Impact
high
Products
Thunderbird
Fixed in

Thunderbird 137.0.2

#CVE-2025-3522: Leak of hashed Window credentials via crafted attachment URL

Reporter
Dario Weißer
Impact
high

Description

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues.
References

Bug 1955372

#CVE-2025-2830: Information Disclosure of /tmp directory listing

Reporter
Dario Weißer
Impact
high

Description

By crafting a malformed file name for an attachment in a multipart message, an attacker can trick Thunderbird into including a directory listing of /tmp when the message is forwarded or edited as a new message. This vulnerability could allow attackers to disclose sensitive information from the victim's system. This vulnerability is not limited to Linux; similar behavior has been observed on Windows as well.
References

Bug 1956379

#CVE-2025-3523: User Interface (UI) Misrepresentation of attachment URL

Reporter
Dario Weißer
Impact
low

Description

When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources.
References

Bug 1958385

 

Mozilla Thunderbird v128.9.2esr has been released. (15-April-2025)

Home | Release Notes | Release Repository and Hashes | Auto update or Download Thunderbird in your language |

Spoiler

fixed

Two-factor auth via text or email did not work with Office 365 using Oauth2.


fixed

IRC channel was not visible after restart.


fixed

Global indexing failed when processing email with invalid calendar data


fixed

Security fixes