Description
The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Published: 2025-02-04
Score: 5.4 Medium
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because Thunderbird Address Book URI fields are not sanitized, allowing an attacker to embed malicious links in an address book, such as in the "Other" field of the Instant Messaging section. If a user imports such an address book and clicks the link, Thunderbird will open a web page within the client that can execute unprivileged JavaScript. This reflects weaknesses related to CWE-79 (Cross‑Site Scripting) and CWE-601 (Open Redirect).

Affected Systems

All users of Mozilla Thunderbird running versions prior to 128.7 and 135 are affected. The vulnerability is not tied to a specific operating system, but the associated CPEs include various Red Hat Enterprise Linux releases that may host Thunderbird. Any installation that imports address books from untrusted sources can be impacted.

Risk and Exploitability

The CVSS score of 5.4 signals moderate severity; the EPSS score of 1% indicates that attackers are not likely to target this flaw in the near future. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to import a crafted address book and click a malicious link, which relies on user interaction to trigger the embedded JavaScript inside Thunderbird.

Generated by OpenCVE AI on June 18, 2026 at 03:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Thunderbird to the latest available version (at least 128.7 for the standard release or 135 for the extended support channel).
  • Avoid importing address books from unknown or untrusted sources; verify the integrity of the address book before opening it.
  • Configure Thunderbird to block remote content in imported address books or enable safe browsing features.

Generated by OpenCVE AI on June 18, 2026 at 03:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-5860-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135. The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Title thunderbird: Unsanitized address book fields Unsanitized address book fields

Mon, 10 Mar 2025 18:45:00 +0000

Type Values Removed Values Added
Description The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7. The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135.
References

Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus

Fri, 07 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Title thunderbird: Unsanitized address book fields
Weaknesses CWE-601
References
Metrics threat_severity

None

threat_severity

Low


Thu, 06 Feb 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 06 Feb 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}


Tue, 04 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Description The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability affects Thunderbird < 128.7.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:36.941Z

Reserved: 2025-02-04T07:26:39.563Z

Link: CVE-2025-1015

cve-icon Vulnrichment

Updated: 2025-02-06T21:14:52.924Z

cve-icon NVD

Status : Modified

Published: 2025-02-04T14:15:32.363

Modified: 2026-06-17T08:38:13.913

Link: CVE-2025-1015

cve-icon Redhat

Severity : Low

Publid Date: 2025-02-04T13:58:56Z

Links: CVE-2025-1015 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:15:04Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')

  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • NVD-CWE-noinfo