High severity7.5NVD Advisory· Published May 14, 2025· Updated Apr 13, 2026
CVE-2025-3875
CVE-2025-3875
Description
Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
9cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <128.10.0
- (no CPE)range: <128.10.1 || <138.0.1
- osv-coords7 versionspkg:rpm/almalinux/thunderbirdpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweedpkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP6pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP7
< 128.10.1-1.el10_0.alma.1+ 6 more
- (no CPE)range: < 128.10.1-1.el10_0.alma.1
- (no CPE)range: < 128.10.1-150200.8.215.1
- (no CPE)range: < 128.10.1-1.1
- (no CPE)range: < 128.10.1-150200.8.215.1
- (no CPE)range: < 128.10.1-150200.8.215.1
- (no CPE)range: < 128.10.1-150200.8.215.1
- (no CPE)range: < 128.10.1-150200.8.215.1
Patches
Vulnerability mechanics
References
4- www.mozilla.org/security/advisories/mfsa2025-34/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-35/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
- lists.debian.org/debian-lts-announce/2025/05/msg00022.htmlnvd
News mentions
0No linked articles in our index yet.