Login Sign Up

CVE-2025-1015

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to embed malicious links in Thunderbird address book fields. When another user imports the infected address book and clicks the link, JavaScript executes within Thunderbird's browser context. This affects Thunderbird users running versions below 128.7 or 135.

💻 Affected Systems

Products:
  • Mozilla Thunderbird
Versions: Thunderbird < 128.7 and Thunderbird < 135
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All Thunderbird installations with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in Thunderbird's context, potentially stealing session cookies, redirecting to phishing sites, or performing client-side attacks against the user.

🟠

Likely Case

Attackers create address books with malicious links that execute JavaScript when imported and clicked, enabling social engineering attacks or information theft.

🟢

If Mitigated

With proper patching and user awareness, impact is minimal as JavaScript execution is unprivileged and requires user interaction.

🌐 Internet-Facing: LOW with brief explanation
🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires social engineering to convince users to import malicious address books and click links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 128.7 or Thunderbird 135

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-10/

Restart Required: Yes

Instructions:

1. Open Thunderbird. 2. Go to Help > About Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart Thunderbird after update.

🔧 Temporary Workarounds

Disable JavaScript in Thunderbird

all

Prevents JavaScript execution from malicious links

Edit config: Set javascript.enabled to false in about:config

Restrict Address Book Imports

all

Limit address book imports to trusted sources only

🧯 If You Can't Patch

  • Avoid importing address books from untrusted sources
  • Train users to never click links in imported address books without verification

🔍 How to Verify

Check if Vulnerable:

Check Thunderbird version in Help > About Thunderbird

Check Version:

thunderbird --version (Linux) or check About dialog

Verify Fix Applied:

Confirm version is Thunderbird 128.7 or higher, or Thunderbird 135 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual address book import activity
  • Multiple failed import attempts

Network Indicators:

  • Connections to suspicious domains from Thunderbird process

SIEM Query:

process:thunderbird AND (event:import OR url:*malicious* OR user_agent:thunderbird)

📊 Metadata

CVE ID: CVE-2025-1015
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 30.6% exploit probability (96.6th percentile)
Published: February 4, 2025
Last Updated: March 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1015, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)