CVE-2025-3875

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name  ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mozillaCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
VendorProductVersion
mozillathunderbird
𝑥
< 128.10.0
mozillathunderbird
129.0 ≤
𝑥
< 138.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
thunderbird
bullseye
vulnerable
bullseye (security)
1:128.12.0esr-1~deb11u1
fixed
bookworm
vulnerable
bookworm (security)
1:128.12.0esr-1~deb12u1
fixed
trixie
1:128.12.0esr-1
fixed
sid
1:128.12.0esr-1
fixed
Common Weakness Enumeration
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1950629
https://www.mozilla.org/security/advisories/mfsa2025-34/
https://www.mozilla.org/security/advisories/mfsa2025-35/