CVE-2025-3875

high

Description

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats [email protected] as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

References

https://www.mozilla.org/security/advisories/mfsa2025-35/

https://www.mozilla.org/security/advisories/mfsa2025-34/

https://bugzilla.mozilla.org/show_bug.cgi?id=1950629

Details

Source: Mitre, NVD

Published: 2025-05-14

Updated: 2025-05-16

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.00017