CVE-2025-3875

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1950629	Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-34/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-35/	Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

History

No history.

Information

Published : 2025-05-14 17:15

Updated : 2025-11-03 20:18

NVD link : CVE-2025-3875

Mitre link : CVE-2025-3875

CVE.ORG link : CVE-2025-3875

JSON object : View

Products Affected

mozilla

thunderbird

CWE

CWE-290

Authentication Bypass by Spoofing

{"id": "CVE-2025-3875", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-05-14T17:15:48.470", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950629", "tags": ["Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-34/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-35/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1."}, {"lang": "es", "value": "Thunderbird analiza las direcciones de forma que puede permite la suplantaci\u00f3n del remitente si el servidor permite el uso de una direcci\u00f3n de remitente no v\u00e1lida. Por ejemplo, si el encabezado \"De\" contiene el valor (inv\u00e1lido) \"Nombre falsificado\", Thunderbird trata spoofed@example.com como la direcci\u00f3n real. Esta vulnerabilidad afecta a Thunderbird < 128.10.1 y Thunderbird < 138.0.1."}], "lastModified": "2025-11-03T20:18:48.080", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47A000D1-78D1-43A0-BBA8-5018439291D3", "versionEndExcluding": "128.10.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AFE1A41-57DD-4532-9F3F-D3E9705868BA", "versionEndExcluding": "138.0.1", "versionStartIncluding": "129.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}