What is the severity of CVE-2025-3875?

CVE-2025-3875 is classified as a medium severity vulnerability due to its potential for sender spoofing.

How do I fix CVE-2025-3875?

To fix CVE-2025-3875, update Mozilla Thunderbird to version 128.10.1 or 138.0.1 or later.

What versions of Thunderbird are affected by CVE-2025-3875?

CVE-2025-3875 affects versions of Mozilla Thunderbird prior to 128.10.1 and prior to 138.0.1.

What can happen if I am affected by CVE-2025-3875?

If affected by CVE-2025-3875, users may be misled by emails that appear to come from spoofed addresses.

Is there a workaround for CVE-2025-3875 before applying the patch?

There are no documented workarounds for CVE-2025-3875, so users should apply the required updates as soon as possible.

Vulnerability/
CVE-2025-3875

high

7.5

CWE

290

13/5/2025

14/5/2025

16/5/2025

CVE-2025-3875

First published: Tue May 13 2025(Updated: )

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name spoofed@example.com legitimate@example.com", Thunderbird treats spoofed@example.com as the actual address.

Credit: security@mozilla.org

Affected Software	Affected Version	How to fix
Thunderbird	<128.10.1
Thunderbird	<138.0.1
Thunderbird	<128.10.1	128.10.1
Thunderbird	<138.0.1	138.0.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

What is the severity of CVE-2025-3875?
CVE-2025-3875 is classified as a medium severity vulnerability due to its potential for sender spoofing.
How do I fix CVE-2025-3875?
To fix CVE-2025-3875, update Mozilla Thunderbird to version 128.10.1 or 138.0.1 or later.
What versions of Thunderbird are affected by CVE-2025-3875?
CVE-2025-3875 affects versions of Mozilla Thunderbird prior to 128.10.1 and prior to 138.0.1.
What can happen if I am affected by CVE-2025-3875?
If affected by CVE-2025-3875, users may be misled by emails that appear to come from spoofed addresses.
Is there a workaround for CVE-2025-3875 before applying the patch?
There are no documented workarounds for CVE-2025-3875, so users should apply the required updates as soon as possible.

collector/mitre-cve
source/MITRE
agent/type
agent/guess-ai
agent/software-canonical-lookup
collector/mozilla-advisory
source/Mozilla
agent/references
agent/first-publish-date
agent/softwarecombine
agent/description
agent/source
agent/author
agent/tags
collector/nvd-api
source/NVD
agent/last-modified-date
agent/severity
agent/weakness
agent/event
vendor/mozilla
canonical/thunderbird

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.