{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3875", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-04-22T16:38:29.461Z", "datePublished": "2025-05-14T16:56:42.950Z", "dateUpdated": "2026-04-13T14:27:50.877Z"}, "containers": {"cna": {"affected": [{"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.10.1", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "138.0.1", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name <spoofed@example.com> <legitimate@example.com>\", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1."}]}], "title": "Sender Spoofing via Malformed From Header in Thunderbird", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950629"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-34/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-35/"}], "credits": [{"lang": "en", "value": "xh4vm"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:50.877Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-290", "lang": "en", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-15T14:52:16.337372Z", "id": "CVE-2025-3875", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T14:52:49.671Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:58:36.011Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:58:36.011Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3875", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-15T14:52:16.337372Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290 Authentication Bypass by Spoofing"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-15T14:52:43.556Z"}}], "cna": {"title": "Sender Spoofing via Malformed From Header in Thunderbird", "credits": [{"lang": "en", "value": "xh4vm"}], "affected": [{"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.10.1", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "138.0.1", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950629"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-34/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-35/"}], "descriptions": [{"lang": "en", "value": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.", "supportingMedia": [{"type": "text/html", "value": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name <spoofed@example.com> <legitimate@example.com>\", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:27:50.877Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3875", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:27:50.877Z", "dateReserved": "2025-04-22T16:38:29.461Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-05-14T16:56:42.950Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "47A000D1-78D1-43A0-BBA8-5018439291D3", "versionEndExcluding": "128.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AFE1A41-57DD-4532-9F3F-D3E9705868BA", "versionEndExcluding": "138.0.1", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1."}, {"lang": "es", "value": "Thunderbird analiza las direcciones de forma que puede permite la suplantaci\u00f3n del remitente si el servidor permite el uso de una direcci\u00f3n de remitente no v\u00e1lida. Por ejemplo, si el encabezado \"De\" contiene el valor (inv\u00e1lido) \"Nombre falsificado\", Thunderbird trata spoofed@example.com como la direcci\u00f3n real. Esta vulnerabilidad afecta a Thunderbird &lt; 128.10.1 y Thunderbird &lt; 138.0.1."}], "id": "CVE-2025-3875", "lastModified": "2026-04-13T15:16:58.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-14T17:15:48.470", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950629"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-34/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-35/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:8196", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "thunderbird-0:128.10.1-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-27T00:00:00Z"}, {"advisory": "RHSA-2025:8756", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.11.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-06-10T00:00:00Z"}, {"advisory": "RHSA-2025:8391", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.10.1-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-06-02T00:00:00Z"}, {"advisory": "RHSA-2025:8507", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.10.1-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-06-04T00:00:00Z"}, {"advisory": "RHSA-2025:8594", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.10.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:8594", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.10.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:8594", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.10.1-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-06-05T00:00:00Z"}, {"advisory": "RHSA-2025:8784", "cpe": "cpe:/a:redhat:rhel_tus:8.8", "package": "thunderbird-0:128.10.1-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date": "2025-06-10T00:00:00Z"}, {"advisory": "RHSA-2025:8784", "cpe": "cpe:/a:redhat:rhel_e4s:8.8", "package": "thunderbird-0:128.10.1-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date": "2025-06-10T00:00:00Z"}, {"advisory": "RHSA-2025:8203", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.10.1-1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-27T00:00:00Z"}, {"advisory": "RHSA-2025:8324", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.10.1-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8326", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.10.1-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-05-29T00:00:00Z"}, {"advisory": "RHSA-2025:8325", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "thunderbird-0:128.10.1-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-05-29T00:00:00Z"}], "bugzilla": {"description": "thunderbird: Sender Spoofing via Malformed From Header in Thunderbird", "id": "2366287", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366287"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-290", "details": ["Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.", "The Mozilla Foundation's Security Advisory describes the following issue: Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name spoofed@example.com legitimate@example.com\", Thunderbird treats spoofed@example.com as the actual address."], "name": "CVE-2025-3875", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/thunderbird-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2025-05-14T16:56:42Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3875\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3875\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2025-34/#CVE-2025-3875"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{}