Description
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Published: 2025-02-04
Score: 5.4 Medium
EPSS: 23.8% Moderate
KEV: No
Impact: Untrusted Code Execution via Embedded Links in Thunderbird
Action: Apply Patch
AI Analysis

Impact

This vulnerability stems from unsanitized URI fields in the Thunderbird Address Book. A malicious address book can contain links that, when imported and clicked by a user, launch a web page within Thunderbird. The page is able to execute unprivileged JavaScript, potentially allowing an attacker to perform arbitrary script operations in the context of the Thunderbird client. The weakness is related to CWE-79 (Cross‑Site Scripting) and CWE-601 (Open Redirect), and can lead to data theft, phishing, or further exploitation within the user's environment.

Affected Systems

All users of Mozilla Thunderbird running versions prior to 128.7 and 135 are affected. The vulnerability is not tied to a specific operating system, but the associated CPEs include various Red Hat Enterprise Linux releases that may host Thunderbird. Any installation that imports address books from untrusted sources can be impacted.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of 24% reflects a relatively high likelihood that attackers will exploit this flaw in the near term. Because the attack requires the victim to import a crafted address book and click the malicious link, it is a user‑interaction vector that is easier to execute with social engineering. The vulnerability is not listed in the CISA KEV catalog, but given its attack surface and exploitation probability, an organization should treat it as a significant risk.

Generated by OpenCVE AI on April 20, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird to the latest available version (at least 128.7 for the standard release or 135 for the extended support channel).
  • Avoid importing address books from unknown or untrusted sources; verify the integrity of the address book before opening it.
  • Use email filtering and attachment scanning to detect and block malicious address books that may contain embedded links.

Generated by OpenCVE AI on April 20, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-5860-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135. The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Title thunderbird: Unsanitized address book fields Unsanitized address book fields

Mon, 10 Mar 2025 18:45:00 +0000

Type Values Removed Values Added
Description The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7. The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135.
References

Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus

Fri, 07 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Title thunderbird: Unsanitized address book fields
Weaknesses CWE-601
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 06 Feb 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Feb 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Tue, 04 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Description The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:36.941Z

Reserved: 2025-02-04T07:26:39.563Z

Link: CVE-2025-1015

cve-icon Vulnrichment

Updated: 2025-02-06T21:14:52.924Z

cve-icon NVD

Status : Modified

Published: 2025-02-04T14:15:32.363

Modified: 2026-04-13T15:16:50.267

Link: CVE-2025-1015

cve-icon Redhat

Severity : Low

Publid Date: 2025-02-04T13:58:56Z

Links: CVE-2025-1015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses