CVE-2025-0510Insufficient Verification of Data Authenticity in Mozilla Thunderbird

CWE-345Insufficient Verification of Data AuthenticityCWE-451User Interface (UI) Misrepresentation of Critical Information9 documents8 sources
Severity
6.5MEDIUMNVD
CNA7.5OSV7.5
EPSS
0.4%
top 40.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Thunderbird
Timeline
PublishedFeb 4
Latest updateJul 22

Description

Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmozilla/thunderbird128.0.1128.7.0+1
Debianmozilla/thunderbird< 1:128.7.0esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-9h64-69xj-vx28: Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-490402025-02-04
OSV
CVE-2025-0510: Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-490402025-02-04
CVEList
Address of e-mail sender can be spoofed by malicious email2025-02-04

📋Vendor Advisories

5
Ubuntu
Thunderbird vulnerabilities2025-07-22
Red Hat
thunderbird: Address of e-mail sender can be spoofed by malicious email2025-02-04
Debian
CVE-2025-0510: thunderbird - Thunderbird displayed an incorrect sender address if the From field of an email ...2025
Mozilla
Mozilla Foundation Security Advisory 2025-10: CVE-2025-0510
Mozilla
Mozilla Foundation Security Advisory 2025-11: CVE-2025-0510
CVE-2025-0510 — Mozilla Thunderbird vulnerability | cvebase