CVE-2025-1015
Published: 04 February 2025
Description
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Security Summary
CVE-2025-1015 is a vulnerability in Mozilla Thunderbird's Address Book URI fields, which lacked proper sanitization of links. An attacker could craft an address book containing a malicious payload embedded in a field, such as the “Other” field in the Instant Messaging section, and export it for distribution. Affected versions of Thunderbird prior to 128.7 and 135 are vulnerable, with the issue tracked under CWE-79 (cross-site scripting) and assigned a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).
Exploitation requires a targeted attack where the victim imports the malicious address book file and subsequently clicks on the embedded link. Any remote attacker can create such a file without privileges, but success depends on user interaction to import and activate the payload. Upon clicking, the link opens a web page within Thunderbird's context, allowing execution of unprivileged JavaScript, potentially leading to low-impact confidentiality and integrity violations like phishing or data exfiltration in the browser's isolated environment.
Mozilla addressed this in Thunderbird 128.7 and 135, as detailed in security advisories MFSA 2025-10 and MFSA 2025-11, available at the referenced Mozilla Security pages, along with Bugzilla entry 1939458. Security practitioners should ensure users update to patched versions and advise caution with importing address books from untrusted sources.
Details
- CWE(s)