Unprotected URI Links in Thunderbird Address Book by Mozilla
CVE-2025-1015

5.4MEDIUM

Key Information:

Vendor
Mozilla
Status
Thunderbird
Vendor
CVE Published:
4 February 2025

Badges

📈 Score: 230👾 Exploit Exists🟡 Public PoC

What is CVE-2025-1015?

CVE-2025-1015 is a vulnerability found in the Thunderbird Address Book, a feature of the open-source email client developed by Mozilla. The purpose of Thunderbird is to provide users with a robust email management solution, which includes the ability to manage contacts efficiently through its Address Book. This vulnerability arises from the presence of unsanitized URI links in the Address Book fields, particularly in the Instant Messaging section. If an attacker creates an address book with malicious links and a victim imports it, the victim may inadvertently execute scripts within Thunderbird, leading to various potential threats against the organization.

Technical Details

The vulnerability exists in versions of Thunderbird prior to 128.7, where the URI fields were not properly sanitized. This flaw allows the insertion of untrusted links that, if imported and clicked by a user, could navigate to a malicious web page through Thunderbird's interface. The page can then trigger JavaScript execution within a user's session, albeit with unprivileged access. Without adequate sanitization, this creates a pathway for attackers to potentially exploit user actions and access sensitive information.

Potential Impact of CVE-2025-1015

  1. Execution of Malicious Scripts: The ability for attackers to execute JavaScript within the Thunderbird environment can lead to the exploitation of user sessions, which may then be leveraged to exfiltrate data or execute unauthorized actions.

  2. Phishing Attacks: Since the exploit allows for the delivery of malicious links that could lead to phishing sites, it raises significant concerns regarding the potential for credential theft and unauthorized access to sensitive accounts.

  3. Spread of Malware: The vulnerability could serve as a vector for spreading malware if users are tricked into visiting compromised web pages or downloading malicious content, nullifying organizational defenses and leading to broader security breaches.

Affected Version(s)

Thunderbird < 128.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-1015
Created by r3m0t3nu11

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1939458
https://www.mozilla.org/security/advisories/mfsa2025-10/

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

r3m0t3nu11
.