AIKIDO-2026-95892
aiosmtplib is vulnerable to STARTTLS Response Injection
59
Medium Risk
This Affects:
aiosmtplibTL;DR
When a connection is upgraded with STARTTLS, the client reads the server's 220 go-ahead reply and begins the TLS handshake without discarding bytes already sitting in the receive buffer. Because the asyncio transport is swapped in place while the protocol buffer is reused, plaintext read before the handshake survives into the encrypted session and is parsed as the first post-TLS server response. An active man-in-the-middle can pre-stage response lines right after the 220 reply to inject server responses and desynchronize every later command and response pair inside the supposedly encrypted session. The fix discards any data buffered after the 220 STARTTLS reply before performing the handshake, as required by RFC 3207.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and your connections upgrade from plaintext using STARTTLS.
Background info
aiosmtplib is vulnerable to STARTTLS Response Injection in versions 0.1 - 5.1.1.
How to fix this
Upgrade the aiosmtplib library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant