CVE-2025-3875 Information

Description

Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example if the From header contains an (invalid) value \Spoofed Name \ Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1950629 https://www.mozilla.org/security/advisories/mfsa2025-34/ https://www.mozilla.org/security/advisories/mfsa2025-35/