PT-2025-21185 · Mozilla+11 · Thunderbird+11

Xh4Vm

Published

2025-02-26

Updated

2026-04-14

CVE-2025-3875

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions: Thunderbird versions prior to 128.10.1 Thunderbird versions prior to 138.0.1

Description: The issue allows sender spoofing if the server permits an invalid From address. For example, if the From header contains an invalid value, Thunderbird treats the specified address as the actual one. This can lead to spoofing attacks, potentially resulting in the sender's address being falsified.

Recommendations: For Thunderbird versions prior to 128.10.1, update to version 128.10.1 or later. For Thunderbird versions prior to 138.0.1, update to version 138.0.1 or later. As a temporary workaround, consider restricting the use of invalid From addresses until a patch is available.

Fix

UI Misrepresentation of Critical Information

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-451CWE-290

Related Identifiers

ALSA-2025:8196

ALSA-2025:8756

ALT-PU-2025-11495

ALT-PU-2025-8611

BDU:2025-04709

CESA-2025_8756

CVE-2025-3875

DLA-4167-1

DSA-5921-1

INFSA-2025_8203

INFSA-2025_8756

MGASA-2025-0168

OESA-2025-1835

OPENSUSE-SU-2025:15131-1

OPENSUSE-SU-2025_01660-1

RHSA-2025:8196

RHSA-2025:8203

RHSA-2025:8324

RHSA-2025:8325

RHSA-2025:8326

RHSA-2025:8391

RHSA-2025:8507

RHSA-2025:8594

RHSA-2025:8756

RHSA-2025:8784

RHSA-2025_8203

RHSA-2025_8756

SUSE-SU-2025:01660-1

SUSE-SU-2025:01660-2

USN-7663-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Thunderbird

Ubuntu

PT-2025-21185 · Mozilla+11 · Thunderbird+11

CVE-2025-3875

Weakness Enumeration

Related Identifiers

Affected Products

References · 225