Jakarta Mail
CVE-2025-7962
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector with high complexity; low privilege reflects authenticated app-user requirement; scope changed because injected commands affect the downstream SMTP mail server.
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (eclipse).
CVSS VectorVendor: eclipse
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 217 maven packages depend on com.sun.mail:jakarta.mail (34 direct, 183 indirect)
- 1 maven packages depend on org.eclipse.angus:smtp (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.0.0 and other introduced versions.
DescriptionCVE.org
In Jakarta Mail versions prior to 2.0.2 it is possible to perform an SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
AnalysisAI
SMTP injection in Eclipse Jakarta Mail (and its Angus Mail implementation) prior to version 2.0.2 allows a low-privileged attacker to inject arbitrary SMTP protocol commands by embedding raw carriage return (\r) and line feed (\n) UTF-8 characters into email fields processed by the library. The library fails to sanitize these input terminators before passing data to the SMTP command stream, enabling an attacker with control over email content to inject additional SMTP commands, forge headers, or deliver unsolicited messages through a trusted mail relay. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Technical ContextAI
Jakarta Mail (CPE: cpe:2.3:a:eclipse:jakarta_mail) is the Eclipse Foundation's implementation of the Jakarta Mail specification (formerly JavaMail), the standard Java API for email composition and transport. Angus Mail (CPE: cpe:2.3:a:eclipse:angus_mail) is a separate Eclipse project that serves as the standalone reference implementation of this API and is also affected. CWE-147 (Improper Neutralization of Input Terminators) describes the root cause: SMTP is a line-oriented protocol where \r\n (CRLF) sequences delimit commands. When user-controlled data containing these sequences is interpolated into SMTP headers or message content without stripping or encoding, an attacker can prematurely terminate a current SMTP command and inject a new arbitrary SMTP command on a fresh line. The vulnerability is specific to UTF-8 representations of these characters, suggesting the sanitization logic may have handled ASCII CRLF while missing equivalent UTF-8 encoded forms, a classic bypassed-filter variant of header injection.
RemediationAI
Upgrade to Jakarta Mail version 2.0.2 or later, which is the vendor-confirmed fixed release per the CVE description. For Angus Mail, verify the corresponding fixed release against the Eclipse GitLab advisory at https://gitlab.eclipse.org/security/cve-assignement/-/issues/67 and the oss-security disclosure at http://www.openwall.com/lists/oss-security/2025/09/03/4. If an immediate upgrade is not feasible, implement input sanitization at the application layer before passing user-controlled strings to Jakarta Mail APIs: strip or reject any occurrence of \r (CR, 0x0D) and \n (LF, 0x0A) characters - including their UTF-8 encoded equivalents - from all email header values and controlled body segments. This compensating control adds application-layer coupling to mail handling logic and may need updating if additional bypass encodings are discovered. Dependency scanning tools (e.g., OWASP Dependency-Check, Snyk, Trivy) should be used to identify transitive inclusions of the affected library across all Java projects.
Same technique Code Injection
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.8.7.1 Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image server-image Image server-image-sles15sp7 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise High Performance Computing 15 SP6 SUSE Linux Enterprise Module for Basesystem 15 SP6 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Desktop 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Not-Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Not-Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Module for Development Tools 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Not-Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Proxy LTS 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Not-Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Affected |
| SUSE Manager Server 4.3 | Not-Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Manager Server LTS 4.3 | Affected |
| SUSE Enterprise Storage 7 | Affected |
| SUSE Enterprise Storage 7.1 | Not-Affected |
| SUSE Enterprise Storage 7.1 | Affected |
| SUSE Linux Enterprise Desktop 15 SP2 | Affected |
| SUSE Linux Enterprise Desktop 15 SP3 | Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP2 | Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP3 | Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| SUSE Manager Proxy 4.1 | Affected |
| SUSE Manager Proxy 4.2 | Affected |
| SUSE Manager Retail Branch Server 4.1 | Affected |
| SUSE Manager Retail Branch Server 4.2 | Affected |
| SUSE Manager Server 4.1 | Affected |
| SUSE Manager Server 4.2 | Affected |
| openSUSE Leap 15.3 | Affected |
| openSUSE Leap 15.4 | Not-Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Not-Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Not-Affected |
| openSUSE Leap 15.6 | Affected |
| suse/manager/5.0/x86_64/server suse/multi-linux-manager/5.1/x86_64/server suse/multi-linux-manager/5.2/x86_64/server | Affected |
Share
External POC / Exploit Code
Leaving vuln.today