CVE-2025-1015
Published: 04 February 2025
Summary
CVE-2025-1015 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Mozilla Thunderbird. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the Thunderbird flaw lacking URI sanitization in Address Book fields, as fixed in versions 128.7 and 135.
Mandates validation of URI inputs in Address Book fields during import to block malicious links and payloads.
Restricts execution of unprivileged JavaScript mobile code from web pages opened via malicious Address Book links.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in address book enables JS execution after import/click of malicious file (T1204.002, T1059.007).
NVD Description
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging…
more
section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Deeper analysisAI
CVE-2025-1015 is a vulnerability in Mozilla Thunderbird's Address Book URI fields, which lacked proper sanitization of links. An attacker could craft an address book containing a malicious payload embedded in a field, such as the “Other” field in the Instant Messaging section, and export it for distribution. Affected versions of Thunderbird prior to 128.7 and 135 are vulnerable, with the issue tracked under CWE-79 (cross-site scripting) and assigned a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).
Exploitation requires a targeted attack where the victim imports the malicious address book file and subsequently clicks on the embedded link. Any remote attacker can create such a file without privileges, but success depends on user interaction to import and activate the payload. Upon clicking, the link opens a web page within Thunderbird's context, allowing execution of unprivileged JavaScript, potentially leading to low-impact confidentiality and integrity violations like phishing or data exfiltration in the browser's isolated environment.
Mozilla addressed this in Thunderbird 128.7 and 135, as detailed in security advisories MFSA 2025-10 and MFSA 2025-11, available at the referenced Mozilla Security pages, along with Bugzilla entry 1939458. Security practitioners should ensure users update to patched versions and advise caution with importing address books from untrusted sources.
Details
- CWE(s)