Plunk versions before 0.8.0 contain a CRLF injection vulnerability (CWE-93) in SESService.ts. This occurs because user inputs for email headers and attachment filenames are not sanitized for carriage return and line feed characters before being inserted into raw MIME email messages. An authenticated API user can exploit this to inject arbitrary email headers such as Bcc or Reply-To, enabling manipulation of email delivery and sender information. The issue is resolved in version 0.8.0 by enforcing schema-level input validation that rejects CRLF characters in these fields, consistent with existing validation for other fields. The vulnerability affects the cloud-hosted service, and the vendor is responsible for patching the environment.

Successful exploitation allows an authenticated API user to inject arbitrary email headers, which can lead to silent email forwarding, reply redirection, or sender spoofing. This compromises the integrity and confidentiality of email communications sent through the platform. The CVSS score of 8.5 reflects high impact on confidentiality and limited impact on integrity, with no impact on availability.

A fix is available in plunk version 0.8.0 that adds input validation to reject carriage return and line feed characters in user-supplied email header fields and attachment filenames. Since plunk is a cloud service, the vendor manages remediation server-side. Users should ensure their environment is updated to version 0.8.0 or later. Check the vendor advisory for confirmation of patch deployment status. No additional mitigation actions are indicated by the vendor.