CVE-2025-3875

{"id": "CVE-2025-3875", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-05-14T17:15:48.470", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950629", "tags": ["Permissions Required"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-34/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-35/", "tags": ["Vendor Advisory"], "source": "security@mozilla.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-290"}]}], "descriptions": [{"lang": "en", "value": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability was fixed in Thunderbird 128.10.1 and Thunderbird 138.0.1."}, {"lang": "es", "value": "Thunderbird analiza las direcciones de forma que puede permite la suplantaci\u00f3n del remitente si el servidor permite el uso de una direcci\u00f3n de remitente no v\u00e1lida. Por ejemplo, si el encabezado \"De\" contiene el valor (inv\u00e1lido) \"Nombre falsificado\", Thunderbird trata spoofed@example.com como la direcci\u00f3n real. Esta vulnerabilidad afecta a Thunderbird < 128.10.1 y Thunderbird < 138.0.1."}], "lastModified": "2026-04-13T15:16:58.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "47A000D1-78D1-43A0-BBA8-5018439291D3", "versionEndExcluding": "128.10.0"}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AFE1A41-57DD-4532-9F3F-D3E9705868BA", "versionEndExcluding": "138.0.1", "versionStartIncluding": "129.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}