Description
Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
Published: 2025-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sender Spoofing via malformed From header
Action: Patch Now
AI Analysis

Impact

Thunderbird processes the From header in a way that can allow an attacker to spoof the sender address when the mail server permits an invalid From value. The invalid header, such as 'Spoofed Name ', leads Thunderbird to treat spoofed@example.com as the legitimate address, allowing impersonation of trusted senders. This vulnerability is a form of authentication bypass (CWE‑290) that could mislead users and facilitate phishing or fraud.

Affected Systems

Mozilla Thunderbird users running versions prior to 128.10.1 and 138.0.1 are potentially affected. The CVE description confirms the issue was fixed in those releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of < 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it simply by sending a crafted email with an improperly formatted From header from a server that accepts such headers, with no additional privileges required. The attack would not directly compromise the system but could deceive users into trusting spoofed messages.

Generated by OpenCVE AI on April 20, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Thunderbird to version 128.10.1 or later (138.0.1 is the current stable release). This corrects the parsing logic that allows spoofed From addresses.
  • Configure your mail server to reject or reject and reject messages whose From header does not comply with RFC 5322 syntax, preventing spoofed messages from reaching Thunderbird clients.
  • Monitor inbound mail for repeated use of spoofed sender addresses and enforce stricter sender verification policies to mitigate residual risk if the patched client cannot be immediately deployed.

Generated by OpenCVE AI on April 20, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4167-1 thunderbird security update
Debian DSA Debian DSA DSA-5921-1 thunderbird security update
EUVD EUVD EUVD-2025-14938 Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1. Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
Title thunderbird: Sender Spoofing via Malformed From Header in Thunderbird Sender Spoofing via Malformed From Header in Thunderbird

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_tus:8.8

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Tus

Thu, 05 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla thunderbird

Tue, 03 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
CPEs cpe:/a:redhat:rhel_aus:8.2
Vendors & Products Redhat rhel Aus

Sat, 31 May 2025 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel E4s
Redhat rhel Eus

Wed, 28 May 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 21 May 2025 03:00:00 +0000

Type Values Removed Values Added
References

Fri, 16 May 2025 15:00:00 +0000

Type Values Removed Values Added
Title thunderbird: Sender Spoofing via Malformed From Header in Thunderbird
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 15 May 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 May 2025 17:15:00 +0000

Type Values Removed Values Added
Description Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
References

Subscriptions

Mozilla Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:50.877Z

Reserved: 2025-04-22T16:38:29.461Z

Link: CVE-2025-3875

cve-icon Vulnrichment

Updated: 2025-11-03T19:58:36.011Z

cve-icon NVD

Status : Modified

Published: 2025-05-14T17:15:48.470

Modified: 2026-04-13T15:16:58.377

Link: CVE-2025-3875

cve-icon Redhat

Severity : Important

Publid Date: 2025-05-14T16:56:42Z

Links: CVE-2025-3875 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses