Skip to main content

Jakarta Mail CVE-2025-7962

MEDIUM
Improper Neutralization of Input Terminators (CWE-147)
2025-07-21 emo@eclipse.org
6.0
CVSS 4.0 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

Network vector with high complexity; low privilege reflects authenticated app-user requirement; scope changed because injected commands affect the downstream SMTP mail server.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 13:16 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 217 maven packages depend on com.sun.mail:jakarta.mail (34 direct, 183 indirect)
  • 1 maven packages depend on org.eclipse.angus:smtp (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.0.0 and other introduced versions.

DescriptionCVE.org

In Jakarta Mail versions prior to 2.0.2 it is possible to perform an SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.

AnalysisAI

SMTP injection in Eclipse Jakarta Mail (and its Angus Mail implementation) prior to version 2.0.2 allows a low-privileged attacker to inject arbitrary SMTP protocol commands by embedding raw carriage return (\r) and line feed (\n) UTF-8 characters into email fields processed by the library. The library fails to sanitize these input terminators before passing data to the SMTP command stream, enabling an attacker with control over email content to inject additional SMTP commands, forge headers, or deliver unsolicited messages through a trusted mail relay. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Technical ContextAI

Jakarta Mail (CPE: cpe:2.3:a:eclipse:jakarta_mail) is the Eclipse Foundation's implementation of the Jakarta Mail specification (formerly JavaMail), the standard Java API for email composition and transport. Angus Mail (CPE: cpe:2.3:a:eclipse:angus_mail) is a separate Eclipse project that serves as the standalone reference implementation of this API and is also affected. CWE-147 (Improper Neutralization of Input Terminators) describes the root cause: SMTP is a line-oriented protocol where \r\n (CRLF) sequences delimit commands. When user-controlled data containing these sequences is interpolated into SMTP headers or message content without stripping or encoding, an attacker can prematurely terminate a current SMTP command and inject a new arbitrary SMTP command on a fresh line. The vulnerability is specific to UTF-8 representations of these characters, suggesting the sanitization logic may have handled ASCII CRLF while missing equivalent UTF-8 encoded forms, a classic bypassed-filter variant of header injection.

RemediationAI

Upgrade to Jakarta Mail version 2.0.2 or later, which is the vendor-confirmed fixed release per the CVE description. For Angus Mail, verify the corresponding fixed release against the Eclipse GitLab advisory at https://gitlab.eclipse.org/security/cve-assignement/-/issues/67 and the oss-security disclosure at http://www.openwall.com/lists/oss-security/2025/09/03/4. If an immediate upgrade is not feasible, implement input sanitization at the application layer before passing user-controlled strings to Jakarta Mail APIs: strip or reject any occurrence of \r (CR, 0x0D) and \n (LF, 0x0A) characters - including their UTF-8 encoded equivalents - from all email header values and controlled body segments. This compensating control adds application-layer coupling to mail handling logic and may need updating if additional bypass encodings are discovered. Dependency scanning tools (e.g., OWASP Dependency-Check, Snyk, Trivy) should be used to identify transitive inclusions of the affected library across all Java projects.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.8.7.1 Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image server-image Image server-image-sles15sp7 Affected
SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 Fixed
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
openSUSE Leap 15.6 Fixed

Share

CVE-2025-7962 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy