CVE-2025-1015

MEDIUM

Thunderbird 128.0.1-128.6.9, 128.7-128.*, >=135 - Stored Cross-Site Scripting via Address Book URI Field Import

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-1015. PoCs published by r3m0t3nu11.

AI-analyzed exploit summary This PoC generates a malicious vCard file that exploits CVE-2025-1015 in Thunderbird's address book. The vCard contains a base64-encoded HTML payload that, when clicked, executes arbitrary JavaScript in the context of Thunderbird's internal browser.

Description

The Thunderbird Address Book URI fields contained unsanitized links. This could be used by an attacker to create and export an address book containing a malicious payload in a field. For example, in the “Other” field of the Instant Messaging section. If another user imported the address book, clicking on the link could result in opening a web page inside Thunderbird, and that page could execute (unprivileged) JavaScript. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.

Exploits (1)

nomisec WORKING POC 3 stars

by r3m0t3nu11 · poc

https://github.com/r3m0t3nu11/CVE-2025-1015

View Code ZIP pw:eip

This PoC generates a malicious vCard file that exploits CVE-2025-1015 in Thunderbird's address book. The vCard contains a base64-encoded HTML payload that, when clicked, executes arbitrary JavaScript in the context of Thunderbird's internal browser.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Mozilla Thunderbird (version not specified)

No auth needed

Prerequisites: Victim must import the malicious vCard · Victim must click the malicious link in Thunderbird

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Permissions Required

https://bugzilla.mozilla.org/show_bug.cgi?id=1939458

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-10/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-11/

Scores

CVSS v3 5.4

EPSS 0.0128

EPSS Percentile 66.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

mozilla/thunderbird 128.0.1 - 128.7.0

Mozilla/Thunderbird 128.7 - 128.*

Mozilla/Thunderbird 135

Published Feb 04, 2025

Tracked Since Feb 18, 2026