Description
Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Published: 2025-02-04
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Email Spoofing
Action: Patch
AI Analysis

Impact

Thunderbird will display an incorrect sender address when the From field uses an invalid group name syntax, allowing an attacker to spoof the return address of an email. The flaw is a result of improper validation of the From header and can be used to trick users into believing a message originates from a legitimate sender, potentially leading to phishing or social engineering attacks. This weakness is reflected in the CWE identifiers CWE-345 and CWE-451.

Affected Systems

All Mozilla Thunderbird installations older than version 128.7 are affected, as the fix was applied in releases 128.7 and 135. No explicit operating system restrictions are listed, so the issue is present on all platforms supported by Thunderbird.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact. The EPSS score of < 1% shows a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, an attacker would need to send a crafted email containing a malformed From header to a user running an affected Thunderbird version, relying on the user to open or view the message. The lack of a known public exploit and the low exploitation probability suggest that the risk is moderate, but it remains advisable to apply the available patch promptly.

Generated by OpenCVE AI on April 20, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Thunderbird to version 128.7 or later, such as the 135 release, to apply the official fix.
  • Configure your mail system or email client to reject or flag emails that contain malformed From headers so that potentially spoofed messages are identified before display.
  • Maintain regular updates for all email clients and monitor message headers for suspicious patterns to ensure ongoing protection against similar spoofing techniques.

Generated by OpenCVE AI on April 20, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-5860-1 thunderbird security update
EUVD EUVD EUVD-2025-1726 Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135. Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability was fixed in Thunderbird 128.7 and Thunderbird 135.
Title thunderbird: Address of e-mail sender can be spoofed by malicious email Address of e-mail sender can be spoofed by malicious email

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00046}

 epss

{'score': 0.00059}

Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Eus
Redhat rhel Tus

Fri, 07 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Title thunderbird: Address of e-mail sender can be spoofed by malicious email
Weaknesses CWE-451
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 06 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-345
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Feb 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Tue, 04 Feb 2025 14:15:00 +0000

Type Values Removed Values Added
Description Thunderbird displayed an incorrect sender address if the From field of an email used the invalid group name syntax that is described in CVE-2024-49040. This vulnerability affects Thunderbird < 128.7 and Thunderbird < 135.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:38.919Z

Reserved: 2025-01-15T21:26:50.144Z

Link: CVE-2025-0510

cve-icon Vulnrichment

Updated: 2025-02-06T21:02:47.727Z

cve-icon NVD

Status : Modified

Published: 2025-02-04T14:15:31.550

Modified: 2026-04-13T15:16:35.363

Link: CVE-2025-0510

cve-icon Redhat

Severity : Important

Publid Date: 2025-02-04T13:58:55Z

Links: CVE-2025-0510 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses