aiosmtplib CVE-2026-53533
MEDIUMSeverity by source
Attacker submits input over network with no authentication required; scope changes because injected commands execute against the SMTP server as a separate component; no confidentiality impact identified in advisory.
Lifecycle Timeline
1DescriptionCVE.org
Summary
aiosmtplib's SMTP.mail(), SMTP.rcpt(), SMTP.vrfy() and SMTP.expn() send the caller-supplied email address to the server without rejecting embedded CR/LF (\r\n) bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes after the CRLF are framed by the server as one or more additional, standalone SMTP command lines. A caller that passes an attacker-influenced sender or recipient address into mail()/rcpt() (or vrfy()/expn()) therefore allows SMTP command injection (CWE-93 / CWE-77): the attacker can smuggle arbitrary SMTP verbs such as MAIL FROM, RCPT TO, RSET, DATA, or AUTH into the session. Injected commands will cause the SMTP instance to hang, but all commands required to complete the envelope could be sent in one address string.
The SMTP.sendmail() command will pass sender and recipient addresses verbatim through to SMTP.mail() & SMTP.rcpt(), and so is also vulnerable. SMTP.send_message() is not affected.
Impact
Severity: medium. Type: SMTP protocol command injection (CWE-93 - Improper Neutralization of CRLF Sequences; CWE-77 - Command Injection).
When an application built on aiosmtplib derives the envelope sender or any recipient from data an attacker can influence (a web form etc.) and passes it to mail()/rcpt() (directly, or via sendmail()/send() without a Message object), the attacker can:
- desynchronize the command/response pipeline and cause the aiosmtplib client to hang, resulting in a possible denial of service
- inject multiple commands in one address to send an arbitrary message
The address only needs to reach mail()/rcpt()/vrfy()/expn(); no attacker control over the SMTP server is required.
Vulnerable versions
Affected version: aiosmtplib 5.1.0 (latest at time of report) and all earlier releases.
Credit
Reported by tonghuaroot.
AnalysisAI
SMTP command injection in aiosmtplib (all versions through 5.1.0) enables any attacker who can influence email addresses passed to SMTP.mail(), SMTP.rcpt(), SMTP.vrfy(), SMTP.expn(), or the higher-level SMTP.sendmail() to inject arbitrary SMTP protocol commands by embedding CR/LF bytes in the address string. Applications that accept sender or recipient addresses from untrusted input - web forms, APIs - and forward them to these methods without CR/LF sanitization are at risk of session desynchronization, client-side denial of service via SMTP client hang, or delivery of attacker-crafted email through the victim application's SMTP connection. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be able to supply or influence the email address strings passed to SMTP.mail(), SMTP.rcpt(), SMTP.vrfy(), SMTP.expn(), or indirectly via SMTP.sendmail() or SMTP.send() without a Message object. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate and strongly dependent on application architecture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submitting a crafted recipient address such as 'user@example.com\r\nDATA\r\nFrom: attacker@evil.com\r\nTo: victim@target.com\r\nSubject: Injected\r\n\r\nBody\r\n.' via a web application's contact form causes aiosmtplib to write multiple SMTP command lines to the server in a single RCPT TO call. By embedding a complete MAIL FROM, RCPT TO, DATA sequence within the address string, the attacker can cause the application to deliver an arbitrary email through the server - or alternatively embed only a bare CRLF to desynchronize the pipeline and hang the client, denying service to legitimate email-sending operations. … |
| Remediation | No vendor-released patched version of aiosmtplib has been confirmed from available data; monitor the GitHub Advisory GHSA-v3q9-hj7j-63hq (https://github.com/cole/aiosmtplib/security/advisories/GHSA-v3q9-hj7j-63hq) and the upstream repository at https://github.com/cole/aiosmtplib for patch releases and upgrade as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v3q9-hj7j-63hq