The vulnerability CVE-2025-0510 affects Mozilla Thunderbird by causing the client to display an incorrect sender address when the From field of an email uses an invalid group name syntax, enabling sender address spoofing. This issue is linked to the previously described syntax in CVE-2024-49040. The flaw was addressed in Thunderbird 128.7 and Thunderbird 135 releases. The vulnerability has a CVSS 3.1 base score of 6.5 with vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating it can be exploited remotely without privileges but requires user interaction, and impacts data integrity by allowing spoofing of the sender address. Mozilla's security advisories MFSA 2025-10 and MFSA 2025-11 detail this fix among other memory safety and use-after-free bugs.

The primary impact of CVE-2025-0510 is the ability for an attacker to spoof the sender address displayed in Thunderbird emails, potentially misleading recipients about the origin of a message. This compromises the integrity of email sender information but does not affect confidentiality or availability. There are no reports of active exploitation in the wild. The vulnerability could facilitate phishing or social engineering attacks by making malicious emails appear to come from trusted sources.

This vulnerability has been fixed in Thunderbird versions 128.7 and 135. Users and administrators should update to at least Thunderbird 128.7 or later to remediate this issue. No additional mitigation steps are required as the vendor advisories confirm the vulnerability is addressed in these official releases.