GHSA-v3q9-hj7j-63hq: aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
The aiosmtplib library versions prior to 5.1.1 are vulnerable to SMTP command injection via CR/LF characters embedded in sender or recipient email addresses. This allows an attacker to inject arbitrary SMTP commands into the session by including carriage return and line feed sequences in the address strings passed to SMTP methods such as mail(), rcpt(), vrfy(), and expn(). The vulnerability can cause the client to hang or allow sending of arbitrary messages if the attacker controls the envelope sender or recipient data. The issue affects aiosmtplib 5.1.0 and all earlier versions.
AI Analysis
Technical Summary
aiosmtplib's SMTP methods mail(), rcpt(), vrfy(), and expn() do not sanitize or reject CR/LF characters in email addresses supplied by the caller. Because these addresses are sent verbatim to the SMTP server, embedded CR/LF sequences enable injection of additional SMTP commands within a single address string. This command injection can desynchronize the SMTP client-server communication, causing hangs or enabling arbitrary SMTP commands to be executed. The sendmail() method is also vulnerable as it passes addresses directly to mail() and rcpt(). The vulnerability is identified as CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-77 (Command Injection).
Potential Impact
An attacker who can influence the envelope sender or recipient addresses passed to vulnerable aiosmtplib methods can inject arbitrary SMTP commands. This can lead to denial of service by causing the SMTP client to hang or enable sending of arbitrary messages through command injection. No control over the SMTP server is required. The severity is medium due to the potential for disruption and misuse of the SMTP session.
Mitigation Recommendations
A fix is available in aiosmtplib version 5.1.1 and later. Users should upgrade to version 5.1.1 or above to remediate this vulnerability. Until upgraded, avoid passing untrusted input directly to SMTP methods mail(), rcpt(), vrfy(), expn(), or sendmail() without proper validation or sanitization of CR/LF characters in email addresses. Patch status is confirmed by the affectedVersions data indicating versions <5.1.1 are vulnerable.
GHSA-v3q9-hj7j-63hq: aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
Description
The aiosmtplib library versions prior to 5.1.1 are vulnerable to SMTP command injection via CR/LF characters embedded in sender or recipient email addresses. This allows an attacker to inject arbitrary SMTP commands into the session by including carriage return and line feed sequences in the address strings passed to SMTP methods such as mail(), rcpt(), vrfy(), and expn(). The vulnerability can cause the client to hang or allow sending of arbitrary messages if the attacker controls the envelope sender or recipient data. The issue affects aiosmtplib 5.1.0 and all earlier versions.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
aiosmtplib's SMTP methods mail(), rcpt(), vrfy(), and expn() do not sanitize or reject CR/LF characters in email addresses supplied by the caller. Because these addresses are sent verbatim to the SMTP server, embedded CR/LF sequences enable injection of additional SMTP commands within a single address string. This command injection can desynchronize the SMTP client-server communication, causing hangs or enabling arbitrary SMTP commands to be executed. The sendmail() method is also vulnerable as it passes addresses directly to mail() and rcpt(). The vulnerability is identified as CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-77 (Command Injection).
Potential Impact
An attacker who can influence the envelope sender or recipient addresses passed to vulnerable aiosmtplib methods can inject arbitrary SMTP commands. This can lead to denial of service by causing the SMTP client to hang or enable sending of arbitrary messages through command injection. No control over the SMTP server is required. The severity is medium due to the potential for disruption and misuse of the SMTP session.
Mitigation Recommendations
A fix is available in aiosmtplib version 5.1.1 and later. Users should upgrade to version 5.1.1 or above to remediate this vulnerability. Until upgraded, avoid passing untrusted input directly to SMTP methods mail(), rcpt(), vrfy(), expn(), or sendmail() without proper validation or sanitization of CR/LF characters in email addresses. Patch status is confirmed by the affectedVersions data indicating versions <5.1.1 are vulnerable.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-v3q9-hj7j-63hq
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-53533"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a4e4ee7c9d9e3dbe3289b59
Added to database: 07/08/2026, 13:21:43 UTC
Last enriched: 07/08/2026, 13:40:47 UTC
Last updated: 07/08/2026, 17:16:54 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.