CVE-2025-3875 — Authentication Bypass by Spoofing in Mozilla Thunderbird

CWE-290 — Authentication Bypass by Spoofing CWE-122 — Heap-based Buffer Overflow10 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 40.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird

Timeline

PublishedMay 14

Latest updateJul 22

Description

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats [email protected] as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDmozilla/thunderbird129.0 — 138.0.1+1

▶Debianmozilla/thunderbird< 1:128.10.1esr-1~deb11u1+3

🔴Vulnerability Details

GHSA

GHSA-rg69-33g2-mp48: Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used↗2025-05-14

▶

CVEList

Sender Spoofing via Malformed From Header in Thunderbird↗2025-05-14

▶

OSV

CVE-2025-3875: Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used↗2025-05-14

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2025-07-22

▶

Red Hat

thunderbird: Sender Spoofing via Malformed From Header in Thunderbird↗2025-05-14

▶

Debian

CVE-2025-3875: thunderbird - Thunderbird parses addresses in a way that can allow sender spoofing in case the...↗2025

▶

Microsoft

Heap-based Buffer Overflow in vim/vim↗2021-10-12

▶

Mozilla

Mozilla Foundation Security Advisory 2025-35: CVE-2025-3875↗

▶