Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-v3q9-hj7j-63hq: aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address

0
Medium
Published: 07/07/2026 (07/07/2026, 23:40:52 UTC)
Source: GCVE Database
Product: aiosmtplib

Description

The aiosmtplib library versions prior to 5.1.1 are vulnerable to SMTP command injection via CR/LF characters embedded in sender or recipient email addresses. This allows an attacker to inject arbitrary SMTP commands into the session by including carriage return and line feed sequences in the address strings passed to SMTP methods such as mail(), rcpt(), vrfy(), and expn(). The vulnerability can cause the client to hang or allow sending of arbitrary messages if the attacker controls the envelope sender or recipient data. The issue affects aiosmtplib 5.1.0 and all earlier versions.

CVSS v4.0

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
None
Vuln. Integrity
Low
Vuln. Availability
Low
Subsq. Confidentiality
None
Subsq. Integrity
High
Subsq. Availability
None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:N

Affected software

PyPIghsa
aiosmtplib
Affected versions
<5.1.1

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/08/2026, 13:40:47 UTC

Technical Analysis

aiosmtplib's SMTP methods mail(), rcpt(), vrfy(), and expn() do not sanitize or reject CR/LF characters in email addresses supplied by the caller. Because these addresses are sent verbatim to the SMTP server, embedded CR/LF sequences enable injection of additional SMTP commands within a single address string. This command injection can desynchronize the SMTP client-server communication, causing hangs or enabling arbitrary SMTP commands to be executed. The sendmail() method is also vulnerable as it passes addresses directly to mail() and rcpt(). The vulnerability is identified as CWE-93 (Improper Neutralization of CRLF Sequences) and CWE-77 (Command Injection).

Potential Impact

An attacker who can influence the envelope sender or recipient addresses passed to vulnerable aiosmtplib methods can inject arbitrary SMTP commands. This can lead to denial of service by causing the SMTP client to hang or enable sending of arbitrary messages through command injection. No control over the SMTP server is required. The severity is medium due to the potential for disruption and misuse of the SMTP session.

Mitigation Recommendations

A fix is available in aiosmtplib version 5.1.1 and later. Users should upgrade to version 5.1.1 or above to remediate this vulnerability. Until upgraded, avoid passing untrusted input directly to SMTP methods mail(), rcpt(), vrfy(), expn(), or sendmail() without proper validation or sanitization of CR/LF characters in email addresses. Patch status is confirmed by the affectedVersions data indicating versions <5.1.1 are vulnerable.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-v3q9-hj7j-63hq
Osv Schema Version
1.4.0
Aliases
["CVE-2026-53533"]
Ecosystems
["PyPI"]
Database Specific Severity
MODERATE
Cvss Version
4.0

Threat ID: 6a4e4ee7c9d9e3dbe3289b59

Added to database: 07/08/2026, 13:21:43 UTC

Last enriched: 07/08/2026, 13:40:47 UTC

Last updated: 07/08/2026, 17:16:54 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses