Vulnerability Description
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | >= 128.0.1, < 128.7.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1939458Permissions Required
- https://www.mozilla.org/security/advisories/mfsa2025-10/Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2025-11/
FAQ
What is CVE-2025-1015?
CVE-2025-1015 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in t...
How severe is CVE-2025-1015?
CVE-2025-1015 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-1015?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Thunderbird.