VDB
DEBIAN-CVE-2025-3875
DEBIAN-CVE-2025-3875
PUBLISHED
CVSS 7.5 HIGH
Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | thunderbird | 128.1.0, 128.1.1, 128.10.0 |
| Debian:11 | thunderbird | 102.15.1-1, 102.15.1-1, 102.2.0-1 |
| Debian:14 | thunderbird | 0, 0 |
| Debian:13 | thunderbird | 0, 0 |
Timeline
- May 14, 2025 CVE Published
- Apr 28, 2026 CVE Updated