Login Sign Up

CVE-2025-0510

6.5 MEDIUM

📋 TL;DR

Thunderbird email client displays incorrect sender addresses when emails use invalid group name syntax in the From field. This allows attackers to spoof sender identities, potentially tricking users into trusting malicious emails. Affects Thunderbird versions before 128.7 and before 135.

💻 Affected Systems

Products:
  • Mozilla Thunderbird
Versions: Thunderbird < 128.7 and Thunderbird < 135
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All Thunderbird installations with affected versions are vulnerable regardless of configuration.

📦 What is this software?

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful phishing campaigns leading to credential theft, malware installation, or financial fraud through convincing sender spoofing.

🟠

Likely Case

Users deceived into opening malicious attachments or links by emails appearing to come from trusted contacts.

🟢

If Mitigated

Minimal impact if users verify sender authenticity through other means and security controls flag suspicious emails.

🌐 Internet-Facing: MEDIUM - Email clients regularly receive external emails, but exploitation requires specific malformed email delivery.
🏢 Internal Only: LOW - Internal email systems typically use proper formatting, but risk exists if internal systems generate malformed emails.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted emails to vulnerable Thunderbird clients.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 128.7 and Thunderbird 135

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-10/

Restart Required: Yes

Instructions:

1. Open Thunderbird. 2. Go to Help > About Thunderbird. 3. Allow automatic update or download latest version from mozilla.org. 4. Restart Thunderbird after update.

🔧 Temporary Workarounds

Email filtering

all

Configure email filters to flag or quarantine emails with malformed From headers

Sender verification training

all

Train users to verify sender authenticity through secondary channels before acting on emails

🧯 If You Can't Patch

  • Implement email gateway filtering for malformed From headers
  • Enable email authentication protocols (SPF, DKIM, DMARC) to detect spoofing

🔍 How to Verify

Check if Vulnerable:

Check Thunderbird version in Help > About Thunderbird. If version is below 128.7 or below 135, system is vulnerable.

Check Version:

thunderbird --version (Linux) or check About dialog (Windows/macOS)

Verify Fix Applied:

After update, verify version shows 128.7 or higher, or 135 or higher in Help > About Thunderbird.

📡 Detection & Monitoring

Log Indicators:

  • Unusual email opening patterns
  • User reports of suspicious sender addresses

Network Indicators:

  • Emails with malformed From headers in email server logs

SIEM Query:

Email logs containing 'From:' with group syntax errors or malformed addresses

📊 Metadata

CVE ID: CVE-2025-0510
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-345
EPSS Score: 0.13% exploit probability (32.9th percentile)
Published: February 4, 2025
Last Updated: February 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0510, you might also want to check these:

CVE-2022-30315 9.8

Honeywell Experion PKS Safety Manager controllers lack cryptographic authentication for control logi...

Same vulnerability type (CWE-345)
CVE-2025-66255 9.8

This vulnerability allows unauthenticated attackers to upload malicious firmware files to Mozart FM ...

Same vulnerability type (CWE-345)
CVE-2022-26871 9.8

CVE-2022-26871 is a critical arbitrary file upload vulnerability in Trend Micro Apex Central that al...

Same vulnerability type (CWE-345)