DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-7962: Lost in Translation: How CVE-2025-7962 Turns Unicode into SMTP Command Injection

#security #cve #cybersecurity

Lost in Translation: How CVE-2025-7962 Turns Unicode into SMTP Command Injection

Vulnerability ID: CVE-2025-7962
CVSS Score: 7.5
Published: 2025-07-21

A critical flaw in Jakarta Mail (Eclipse Angus Mail) allows attackers to perform SMTP Command Injection by leveraging improper Unicode-to-ASCII conversion. By using specific multibyte characters, an attacker can smuggle protocol delimiters past input filters.

TL;DR

Jakarta Mail (formerly JavaMail) contains a classic CRLF injection vulnerability with a twist: it's triggered by Unicode characters. Because the library naively truncates 16-bit characters to 8-bit bytes during SMTP transmission, characters like '瘍' (U+760D) become a literal Carriage Return (0x0D). This allows attackers to break out of email headers and inject arbitrary SMTP commands, leading to spam relaying, phishing from trusted domains, or session poisoning.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-147 (Improper Neutralization of Input Terminators)
  • CVSS v3.1: 7.5 (High)
  • Attack Vector: Network (SMTP Injection)
  • EPSS Score: 0.0001 (0.83%)
  • Exploit Status: PoC Available
  • Impact: Integrity (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Systems

  • Eclipse Angus Mail (versions <= 2.0.3)
  • Jakarta Mail (versions <= 2.0.2)
  • IBM WebSphere Application Server
  • IBM Tivoli Netcool Configuration Manager
  • Jenkins (via Jakarta Mail API Plugin)
  • Angus Mail: <= 2.0.3 (Fixed in: 2.0.4)
  • Jakarta Mail API Plugin: <= 2.1.3-2 (Fixed in: 2.1.3-3)
  • WebSphere Application Server: 8.5.x, 9.0.x (Fixed in: 8.5.5.28, 9.0.5.25)

Code Analysis

Commit: 269099b

Fix for Issue #67: Validate SMTP command bytes for CRLF injection

private void validateCommand(byte[] cmdBytes) { ... if (b == LF || b == CR) throw ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: JUnit test case demonstrating the injection using Chinese characters

Mitigation Strategies

  • Input Validation: Restrict email fields to printable ASCII characters only.
  • Punycode Encoding: Convert internationalized domain names to Punycode before processing.
  • Library Update: Patch the underlying Jakarta/Angus Mail library.

Remediation Steps:

  1. Identify all applications using jakarta.mail or angus-mail artifacts.
  2. Upgrade angus-mail to version 2.0.4 or higher.
  3. For IBM WebSphere, apply APAR PH68418/PH68424.
  4. For Jenkins, upgrade Jakarta Mail API Plugin to 2.1.3-3.
  5. Restart application services to load the new library classes.

References

Read the full report for CVE-2025-7962 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)