Unprotected URI Links in Thunderbird Address Book by Mozilla
CVE-2025-1015

Currently unrated

Key Information:

Vendor: Mozilla
Status: Thunderbird
Vendor: CVE Published:; 4 February 2025

Summary

The Thunderbird Address Book contains unsanitized URI fields that could be exploited by attackers. By creating an address book with malicious links, an attacker may trick another user into importing the compromised address book. If the user clicks on the unsanitized link within Thunderbird, it could lead to arbitrary execution of unprivileged JavaScript on a webpage opened within the Thunderbird client. This poses significant security risks as it may allow attackers to manipulate user sessions or steal sensitive information.

Affected Version(s)

Thunderbird < 128.7

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1939458

https://www.mozilla.org/security/advisories/mfsa2025-10/

Timeline

Vulnerability published
Feb 4, 2025
Vulnerability Reserved
Feb 4, 2025

Credit

r3m0t3nu11