High severity7.5NVD Advisory· Published May 14, 2025· Updated Apr 13, 2026

CVE-2025-3875

Description

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.

Affected products

Mozilla Corporation/Thunderbird
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Range: <128.10.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.mozilla.org/security/advisories/mfsa2025-34/nvdVendor Advisory
www.mozilla.org/security/advisories/mfsa2025-35/nvdVendor Advisory
bugzilla.mozilla.org/show_bug.cginvdPermissions Required
lists.debian.org/debian-lts-announce/2025/05/msg00022.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000