Skip to main content

aiosmtplib CVE-2026-53533

MEDIUM
Command Injection (CWE-77)
2026-07-07 https://github.com/cole/aiosmtplib GHSA-v3q9-hj7j-63hq
Share

Severity by source

vuln.today AI
7.2 HIGH

Attacker submits input over network with no authentication required; scope changes because injected commands execute against the SMTP server as a separate component; no confidentiality impact identified in advisory.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:N

Lifecycle Timeline

1
Analysis Generated
Jul 08, 2026 - 00:28 vuln.today

DescriptionCVE.org

Summary

aiosmtplib's SMTP.mail(), SMTP.rcpt(), SMTP.vrfy() and SMTP.expn() send the caller-supplied email address to the server without rejecting embedded CR/LF (\r\n) bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes after the CRLF are framed by the server as one or more additional, standalone SMTP command lines. A caller that passes an attacker-influenced sender or recipient address into mail()/rcpt() (or vrfy()/expn()) therefore allows SMTP command injection (CWE-93 / CWE-77): the attacker can smuggle arbitrary SMTP verbs such as MAIL FROM, RCPT TO, RSET, DATA, or AUTH into the session. Injected commands will cause the SMTP instance to hang, but all commands required to complete the envelope could be sent in one address string.

The SMTP.sendmail() command will pass sender and recipient addresses verbatim through to SMTP.mail() & SMTP.rcpt(), and so is also vulnerable. SMTP.send_message() is not affected.

Impact

Severity: medium. Type: SMTP protocol command injection (CWE-93 - Improper Neutralization of CRLF Sequences; CWE-77 - Command Injection).

When an application built on aiosmtplib derives the envelope sender or any recipient from data an attacker can influence (a web form etc.) and passes it to mail()/rcpt() (directly, or via sendmail()/send() without a Message object), the attacker can:

  • desynchronize the command/response pipeline and cause the aiosmtplib client to hang, resulting in a possible denial of service
  • inject multiple commands in one address to send an arbitrary message

The address only needs to reach mail()/rcpt()/vrfy()/expn(); no attacker control over the SMTP server is required.

Vulnerable versions

Affected version: aiosmtplib 5.1.0 (latest at time of report) and all earlier releases.

Credit

Reported by tonghuaroot.

AnalysisAI

SMTP command injection in aiosmtplib (all versions through 5.1.0) enables any attacker who can influence email addresses passed to SMTP.mail(), SMTP.rcpt(), SMTP.vrfy(), SMTP.expn(), or the higher-level SMTP.sendmail() to inject arbitrary SMTP protocol commands by embedding CR/LF bytes in the address string. Applications that accept sender or recipient addresses from untrusted input - web forms, APIs - and forward them to these methods without CR/LF sanitization are at risk of session desynchronization, client-side denial of service via SMTP client hang, or delivery of attacker-crafted email through the victim application's SMTP connection. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker submits crafted email address via web form or API
Delivery
Application passes unsanitized address to SMTP.mail() or SMTP.rcpt()
Exploit
aiosmtplib writes CR/LF bytes verbatim to SMTP TCP control stream
Execution
SMTP server parses injected bytes as additional standalone command lines
Persist
Arbitrary SMTP verbs execute (MAIL FROM/RCPT TO/DATA or RSET/AUTH)
Impact
Unauthorized email delivered or aiosmtplib client hangs causing application-level DoS

Vulnerability AssessmentAI

Exploitation The attacker must be able to supply or influence the email address strings passed to SMTP.mail(), SMTP.rcpt(), SMTP.vrfy(), SMTP.expn(), or indirectly via SMTP.sendmail() or SMTP.send() without a Message object. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate and strongly dependent on application architecture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submitting a crafted recipient address such as 'user@example.com\r\nDATA\r\nFrom: attacker@evil.com\r\nTo: victim@target.com\r\nSubject: Injected\r\n\r\nBody\r\n.' via a web application's contact form causes aiosmtplib to write multiple SMTP command lines to the server in a single RCPT TO call. By embedding a complete MAIL FROM, RCPT TO, DATA sequence within the address string, the attacker can cause the application to deliver an arbitrary email through the server - or alternatively embed only a bare CRLF to desynchronize the pipeline and hang the client, denying service to legitimate email-sending operations. …
Remediation No vendor-released patched version of aiosmtplib has been confirmed from available data; monitor the GitHub Advisory GHSA-v3q9-hj7j-63hq (https://github.com/cole/aiosmtplib/security/advisories/GHSA-v3q9-hj7j-63hq) and the upstream repository at https://github.com/cole/aiosmtplib for patch releases and upgrade as soon as one is available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy