#VU103615 Input validation error in Mozilla Thunderbird - CVE-2025-1015
Vulnerability identifier: #VU103615
Vulnerability risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2025-1015
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
Mozilla Thunderbird
Client/Desktop applications /
Messaging software
Vendor: Mozilla
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when handling the Address Book URI fields. A remote attacker create and export an address book containing a malicious payload in a field, trick the victim into clicking on the link after importing the address book and a web page inside Thunderbird.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Mozilla Thunderbird: 102.0 - 102.15.1, 115.0 - 115.18.0, 128.0 - 128.6.0
External links
https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
