CWE-290
AllowedAuthentication Bypass by Spoofing
Abstraction: Base · Status: Incomplete
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
925 vulnerabilities reference this CWE, most recent first.
GHSA-R65X-2HQR-J5HF
Vulnerability from github – Published: 2026-03-03 00:40 – Updated: 2026-03-20 21:12Summary
A paired node device could reconnect with spoofed platform/deviceFamily metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.25 - Latest published version at update time:
2026.2.25 - Patched version (pre-set for next release):
2026.2.26
Impact
In configurations where node command policy differs by platform, an attacker with an already paired node identity on the trusted network could spoof reconnect metadata and gain access to commands that should remain blocked for the originally paired platform.
Fix
- Add device-auth payload
v3that signs normalizedplatformanddeviceFamily. - Verify
v3first (fallback tov2for compatibility), while pinning paired metadata server-side. - Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata.
- Add regression coverage for reconnect spoof attempts.
Fix Commit(s)
7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a
Release Process Note
patched_versions is pre-set to the planned next release 2026.2.26; once that npm release is published, the advisory can be published without further field edits.
OpenClaw thanks @76embiid21 for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.25"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32014"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T00:40:12Z",
"nvd_published_at": "2026-03-19T22:16:34Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA paired node device could reconnect with spoofed `platform`/`deviceFamily` metadata and broaden node command policy eligibility because reconnect metadata was accepted from the client while these fields were not bound into the device-auth signature.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.25`\n- Latest published version at update time: `2026.2.25`\n- Patched version (pre-set for next release): `2026.2.26`\n\n## Impact\n\nIn configurations where node command policy differs by platform, an attacker with an already paired node identity on the trusted network could spoof reconnect metadata and gain access to commands that should remain blocked for the originally paired platform.\n\n## Fix\n\n- Add device-auth payload `v3` that signs normalized `platform` and `deviceFamily`.\n- Verify `v3` first (fallback to `v2` for compatibility), while pinning paired metadata server-side.\n- Reject reconnect metadata mismatches and require explicit repair pairing to change pinned metadata.\n- Add regression coverage for reconnect spoof attempts.\n\n## Fix Commit(s)\n\n- `7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a`\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release `2026.2.26`; once that npm release is published, the advisory can be published without further field edits.\n\nOpenClaw thanks @76embiid21 for reporting.",
"id": "GHSA-r65x-2hqr-j5hf",
"modified": "2026-03-20T21:12:24Z",
"published": "2026-03-03T00:40:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r65x-2hqr-j5hf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32014"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7d8aeaaf06e2e616545d2c2cec7fa27f36b59b6a"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-node-reconnect-metadata-spoofing-via-unsigned-platform-fields"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy"
}
GHSA-R6RX-QWWM-WC39
Vulnerability from github – Published: 2022-10-12 12:00 – Updated: 2025-01-03 00:31{
"affected": [],
"aliases": [
"CVE-2022-34689"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-11T19:15:00Z",
"severity": "HIGH"
},
"details": "Windows CryptoAPI Spoofing Vulnerability.",
"id": "GHSA-r6rx-qwwm-wc39",
"modified": "2025-01-03T00:31:05Z",
"published": "2022-10-12T12:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34689"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34689"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-34689"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R6XH-PQHR-V4XH
Vulnerability from github – Published: 2026-05-04 20:22 – Updated: 2026-05-12 13:37Summary
MCP loopback owner context is derived from server-issued bearer tokens.
Affected Packages / Versions
- Package: openclaw (npm)
- Affected versions: <= 2026.4.21
- Fixed version: 2026.4.22
Impact
The loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations.
Fix
The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted.
Fix Commit(s)
- 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19
Verification
- The fix commit is contained in the public v2026.4.22 tag.
- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.
- Focused regression coverage for this path passed before publication.
OpenClaw thanks @VladimirEliTokarev for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.4.21"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.4.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44118"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-04T20:22:42Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nMCP loopback owner context is derived from server-issued bearer tokens.\n\n## Affected Packages / Versions\n- Package: openclaw (npm)\n- Affected versions: \u003c= 2026.4.21\n- Fixed version: 2026.4.22\n\n## Impact\nThe loopback MCP path accepted spoofable owner-context metadata from request headers, which could allow a non-owner loopback client to present itself as owner for owner-gated operations.\n\n## Fix\nThe MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted.\n\n## Fix Commit(s)\n- 3cb1a56bfc9579a0f2336f9cfa12a8a744332a19\n\n## Verification\n- The fix commit is contained in the public v2026.4.22 tag.\n- openclaw@2026.4.22 is published on npm and the compiled package contains the fix.\n- Focused regression coverage for this path passed before publication.\n\nOpenClaw thanks @VladimirEliTokarev for reporting.",
"id": "GHSA-r6xh-pqhr-v4xh",
"modified": "2026-05-12T13:37:11Z",
"published": "2026-05-04T20:22:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6xh-pqhr-v4xh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44118"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/3cb1a56bfc9579a0f2336f9cfa12a8a744332a19"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-owner-context-spoofing-via-bearer-token-header"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: MCP loopback owner context is derived from server-issued bearer tokens"
}
GHSA-R8M8-J8RP-H564
Vulnerability from github – Published: 2022-05-13 01:20 – Updated: 2022-05-13 01:20A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka "Microsoft Edge Spoofing Vulnerability." This affects Microsoft Edge.
{
"affected": [],
"aliases": [
"CVE-2018-8425"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-13T00:29:00Z",
"severity": "MODERATE"
},
"details": "A spoofing vulnerability exists when Microsoft Edge improperly handles specific HTML content, aka \"Microsoft Edge Spoofing Vulnerability.\" This affects Microsoft Edge.",
"id": "GHSA-r8m8-j8rp-h564",
"modified": "2022-05-13T01:20:53Z",
"published": "2022-05-13T01:20:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8425"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8425"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105255"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041623"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RCH7-F4H5-X9RJ
Vulnerability from github – Published: 2019-08-23 00:04 – Updated: 2021-08-17 21:32Affected versions of libp2p-secio does not correctly verify that the PeerId of DstPeer matches the PeerId discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability.
Recommendation
Update to version 0.9.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "libp2p-secio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2019-08-22T14:56:33Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Affected versions of `libp2p-secio` does not correctly verify that the `PeerId` of `DstPeer` matches the `PeerId` discovered in the crypto handshake, resulting in a high severity identity spoofing vulnerability. \n\n\n## Recommendation\n\nUpdate to version 0.9.0 or later.",
"id": "GHSA-rch7-f4h5-x9rj",
"modified": "2021-08-17T21:32:42Z",
"published": "2019-08-23T00:04:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/libp2p/js-libp2p-secio/pull/95"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/npm:libp2p-secio:20180115"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Identity Spoofing in libp2p-secio"
}
GHSA-RCH9-592X-RRW8
Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2025-11-28 18:30The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header.
{
"affected": [],
"aliases": [
"CVE-2023-30803"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-10T15:15:09Z",
"severity": "CRITICAL"
},
"details": "The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header.",
"id": "GHSA-rch9-592x-rrw8",
"modified": "2025-11-28T18:30:16Z",
"published": "2023-10-10T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30803"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/marketplace/pp/prodview-uujwjffddxzp4"
},
{
"type": "WEB",
"url": "https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition"
},
{
"type": "WEB",
"url": "https://vulncheck.com/advisories/sangfor-ngaf-auth-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCJQ-RRM8-5G33
Vulnerability from github – Published: 2024-06-04 09:30 – Updated: 2025-04-03 00:31Improper Control of Interaction Frequency vulnerability in Lester ‘GaMerZ’ Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.
{
"affected": [],
"aliases": [
"CVE-2023-40332"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-799"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-04T08:15:09Z",
"severity": "MODERATE"
},
"details": "Improper Control of Interaction Frequency vulnerability in Lester \u2018GaMerZ\u2019 Chan WP-PostRatings allows Functionality Misuse.This issue affects WP-PostRatings: from n/a through 1.91.",
"id": "GHSA-rcjq-rrm8-5g33",
"modified": "2025-04-03T00:31:30Z",
"published": "2024-06-04T09:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40332"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wp-postratings/wordpress-wp-postratings-plugin-1-91-rating-limit-bypass-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RCMW-7MC7-3RJ7
Vulnerability from github – Published: 2026-04-30 20:44 – Updated: 2026-05-13 13:38Impact
A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program.
The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.
Self-hosted users are only vulnerable if the following conditions are met: - They have more than one organization configured (SENTRY_SINGLE_ORGANIZATION = False). - A malicious user has existing access and permissions to modify SSO settings for another organization in their multi-organization instance.
Patches
- Sentry SaaS: The fix was deployed in April. No action is required.
- Self-Hosted Sentry: If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Sentry recommends upgrading to version 26.4.1 or higher.
Workarounds
User account-based two-factor authentication prevents an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.
Users can manage their two-factor authentication settings through Account Settings > Security page. For step-by-step details, please see the Sentry helpdesk article.
Resources
- https://github.com/getsentry/sentry/pull/113720
Please note that this is distinct vulnerability from the similar https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w from 2025.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 26.4.0"
},
"package": {
"ecosystem": "PyPI",
"name": "sentry"
},
"ranges": [
{
"events": [
{
"introduced": "21.12.0"
},
{
"fixed": "26.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42354"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-30T20:44:24Z",
"nvd_published_at": "2026-05-08T23:16:38Z",
"severity": "CRITICAL"
},
"details": "### Impact\nA critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry\u0027s private bug bounty program.\n\nThe vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.\n\nSelf-hosted users are only vulnerable if the following conditions are met:\n- They have more than one organization configured (SENTRY_SINGLE_ORGANIZATION = False).\n- A malicious user has existing access and permissions to modify SSO settings for another organization in their multi-organization instance. \n\n### Patches\n- [Sentry SaaS](https://sentry.io/): The fix was deployed in April. No action is required.\n- [Self-Hosted Sentry](https://github.com/getsentry/self-hosted): If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Sentry recommends upgrading to version 26.4.1 or higher.\n\n### Workarounds\nUser account-based two-factor authentication prevents an attacker from being able to complete authentication with a victim\u0027s user account. Organization administrators cannot do this on a user\u0027s behalf, this requires individual users to ensure 2FA has been enabled for their account.\n\nUsers can manage their two-factor authentication settings through Account Settings \u003e [Security](https://sentry.io/settings/account/security/) page. For step-by-step details, please see the Sentry [helpdesk article](https://sentry.zendesk.com/hc/en-us/articles/46773315774235-How-do-I-enable-two-factor-authentication-2FA-on-my-Sentry-account).\n\n### Resources\n\n- https://github.com/getsentry/sentry/pull/113720 \n\nPlease note that this is distinct vulnerability from the similar https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w from 2025.",
"id": "GHSA-rcmw-7mc7-3rj7",
"modified": "2026-05-13T13:38:32Z",
"published": "2026-04-30T20:44:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/security/advisories/GHSA-rcmw-7mc7-3rj7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42354"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/pull/113720"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/commit/0c67558ae7fe08738912d4c5233b53ead048da3b"
},
{
"type": "PACKAGE",
"url": "https://github.com/getsentry/sentry"
},
{
"type": "WEB",
"url": "https://github.com/getsentry/sentry/releases/tag/26.4.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sentry\u0027s improper authentication on SAML SSO process allows user identity linking"
}
GHSA-RG2M-7V6J-W3WQ
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-07 00:00The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.
{
"affected": [],
"aliases": [
"CVE-2022-1745"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T15:15:00Z",
"severity": "HIGH"
},
"details": "The authentication mechanism used by technicians on the tested version of Dominion Voting Systems ImageCast X is susceptible to forgery. An attacker with physical access may use this to gain administrative privileges on a device and install malicious code or perform arbitrary administrative actions.",
"id": "GHSA-rg2m-7v6j-w3wq",
"modified": "2022-07-07T00:00:29Z",
"published": "2022-06-25T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1745"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-154-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RG69-33G2-MP48
Vulnerability from github – Published: 2025-05-14 18:30 – Updated: 2025-11-03 21:33Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value "Spoofed Name ", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.
{
"affected": [],
"aliases": [
"CVE-2025-3875"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-14T17:15:48Z",
"severity": "HIGH"
},
"details": "Thunderbird parses addresses in a way that can allow sender spoofing in case the server allows an invalid From address to be used. For example, if the From header contains an (invalid) value \"Spoofed Name \", Thunderbird treats spoofed@example.com as the actual address. This vulnerability affects Thunderbird \u003c 128.10.1 and Thunderbird \u003c 138.0.1.",
"id": "GHSA-rg69-33g2-mp48",
"modified": "2025-11-03T21:33:54Z",
"published": "2025-05-14T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3875"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1950629"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-34"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-35"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
CAPEC-473: Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
CAPEC-476: Signature Spoofing by Misrepresentation
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.