Intel

AIKIDO-2026-31286

zbateson/mail-mime-parser is vulnerable to CRLF Injection

CRLF InjectionGHSA-36h5-qg4p-q2qf Published 3 days ago

72

High Risk

This Affects:

PHPzbateson/mail-mime-parser
0.0.1 - 3.0.5
Fixed in 3.0.6
4.0.0 - 4.0.1
Fixed in 4.0.2
Are you affected? Scan for Free

TL;DR

The library interpolates attachment filenames into Content-Type and Content-Disposition header values without removing carriage-return and line-feed characters. A filename containing \r\n, which can arrive directly from parsed inbound mail via an RFC 2231 filename*= parameter or a base64/quoted-printable RFC 2047 encoded word, serializes as additional attacker-controlled header lines such as a forged Bcc. This lets an attacker inject arbitrary MIME headers when an application builds or forwards a message using an untrusted filename returned by getFilename(). The fix strips CR/LF and control characters from decoded MIME token and parameter values and from attachment filenames before they are written into headers.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

zbateson/mail-mime-parser is vulnerable to CRLF Injection in versions 0.0.1 - 3.0.5 and 4.0.0 - 4.0.1.

How to fix this

Upgrade the zbateson/mail-mime-parser library to the patch version.