Skip to main content
CVE Vulnerability Database

CVE-2025-7962: Eclipse Jakarta Mail SMTP Injection Flaw

CVE-2025-7962 is an SMTP injection vulnerability in Eclipse Jakarta Mail that allows attackers to inject malicious commands using UTF-8 characters. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-7962 Overview

CVE-2025-7962 is an SMTP injection vulnerability in Eclipse Jakarta Mail 2.0.2 and Eclipse Angus Mail. The flaw allows attackers to inject additional SMTP commands or message content by embedding carriage return (\r) and line feed (\n) UTF-8 characters into mail fields. These control characters are not properly sanitized before being passed into the SMTP protocol stream, enabling message boundary manipulation. The vulnerability is classified under [CWE-147] Improper Neutralization of Input Terminators. An authenticated attacker with the ability to supply input to mail-sending logic can deliver unauthorized messages or alter mail headers. Eclipse Jakarta Mail is widely deployed in Java enterprise applications for SMTP, IMAP, and POP3 communication.

Critical Impact

Attackers can inject arbitrary SMTP commands and forge unauthorized email messages by manipulating CRLF sequences in mail input fields.

Affected Products

  • Eclipse Jakarta Mail 2.0.2
  • Eclipse Angus Mail (affected versions)
  • Java applications depending on the above libraries for SMTP messaging

Discovery Timeline

Technical Details for CVE-2025-7962

Vulnerability Analysis

The vulnerability resides in how Jakarta Mail processes user-controlled input before passing it into the SMTP protocol. SMTP uses CRLF (\r\n) sequences as message and command terminators. When applications supply untrusted input to mail headers, recipient fields, or message bodies without stripping these characters, attackers can inject new SMTP commands or additional message segments. This is a classic SMTP injection pattern documented in [CWE-147].

Exploitation requires the attacker to interact with an application that calls Jakarta Mail APIs using attacker-controlled data. The CVSS 4.0 vector indicates a network-reachable attack requiring low privileges, with a primary impact on integrity rather than confidentiality or availability. Refer to the GitLab CVE assignment issue for the technical write-up.

Root Cause

The root cause is insufficient neutralization of line terminator characters in mail input fields. Jakarta Mail accepts strings containing raw \r and \n characters and forwards them unchanged into the SMTP transaction. The protocol parser on the receiving end interprets these terminators as command or message boundaries, allowing the original SMTP session to be repurposed.

Attack Vector

An attacker submits crafted input containing embedded \r\n sequences to an application field that ultimately reaches a Jakarta Mail setSubject, setRecipients, or message body call. The injected sequence terminates the current SMTP field and introduces attacker-defined headers, recipients, or full secondary messages. Typical abuse scenarios include sending unauthorized emails from a trusted mail server, bypassing recipient restrictions, and inserting forged headers for phishing.

The vulnerability manifests when CRLF characters survive sanitization in upstream application code. See the Eclipse security advisory for additional technical details on the injection mechanism.

Detection Methods for CVE-2025-7962

Indicators of Compromise

  • Outbound SMTP messages containing unexpected Bcc, Cc, or From headers not originating from application logic
  • Mail server logs showing multiple recipients or messages within a single transaction initiated by the application service account
  • Application input logs containing %0d%0a, %0A, or raw \r\n sequences in mail-related parameters

Detection Strategies

  • Inspect HTTP and API request logs for URL-encoded or literal CRLF sequences in fields that feed mail subjects, recipients, or headers
  • Correlate application-generated email volume with mail relay logs to identify unexplained spikes in outbound messages
  • Perform static analysis of Java codebases to locate Jakarta Mail API calls receiving unsanitized user input

Monitoring Recommendations

  • Enable verbose SMTP transaction logging on outbound relays and alert on transactions with multiple RCPT TO commands from application accounts
  • Monitor dependency manifests (pom.xml, build.gradle) for vulnerable versions of jakarta.mail and angus-mail
  • Track anomalous email recipient domains originating from application service identities

How to Mitigate CVE-2025-7962

Immediate Actions Required

  • Upgrade Eclipse Jakarta Mail to a patched release beyond 2.0.2 and update Eclipse Angus Mail to the corresponding fixed version
  • Audit all application code paths that pass user input into Jakarta Mail APIs and add explicit CRLF stripping
  • Review SMTP relay logs for the last 90 days to identify any prior injection attempts

Patch Information

Refer to the Eclipse GitLab CVE assignment issue and the Openwall OSS Security discussion for fixed version details. Update dependency declarations and rebuild affected applications.

Workarounds

  • Sanitize all user-supplied values by rejecting or stripping \r and \n characters before invoking Jakarta Mail methods
  • Apply allowlist validation on email address fields using strict RFC 5322 patterns
  • Restrict outbound SMTP to a controlled relay that enforces per-message recipient limits and header validation
bash
# Example Maven dependency update to a patched Jakarta Mail release
mvn versions:use-latest-versions -Dincludes=jakarta.mail:jakarta.mail-api
mvn versions:use-latest-versions -Dincludes=org.eclipse.angus:angus-mail
mvn dependency:tree | grep -E "jakarta.mail|angus-mail"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.