fix(deps): update dependency aiosmtplib to v5 [security]#1883
Open
oep-renovate[bot] wants to merge 1 commit into
Open
fix(deps): update dependency aiosmtplib to v5 [security]#1883oep-renovate[bot] wants to merge 1 commit into
oep-renovate[bot] wants to merge 1 commit into
Conversation
Signed-off-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
oep-renovate
Bot
requested review from
jcchr,
mgumowsk and
piotrgrubicki
as code owners
July 8, 2026 03:18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
==2.0.2→==5.1.1aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
CVE-2026-53533 / GHSA-v3q9-hj7j-63hq / PYSEC-2026-2338
More information
Details
Summary
aiosmtplib'sSMTP.mail(),SMTP.rcpt(),SMTP.vrfy()andSMTP.expn()send the caller-supplied email address to the server without rejecting embedded CR/LF (\r\n) bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes after the CRLF are framed by the server as one or more additional, standalone SMTP command lines. A caller that passes an attacker-influenced sender or recipient address intomail()/rcpt()(orvrfy()/expn()) therefore allows SMTP command injection (CWE-93 / CWE-77): the attacker can smuggle arbitrary SMTP verbs such asMAIL FROM,RCPT TO,RSET,DATA, orAUTHinto the session. Injected commands will cause theSMTPinstance to hang, but all commands required to complete the envelope could be sent in one address string.The
SMTP.sendmail()command will pass sender and recipient addresses verbatim through toSMTP.mail()&SMTP.rcpt(), and so is also vulnerable.SMTP.send_message()is not affected.Impact
Severity: medium. Type: SMTP protocol command injection (CWE-93 — Improper Neutralization of CRLF Sequences; CWE-77 — Command Injection).
When an application built on
aiosmtplibderives the envelope sender or any recipient from data an attacker can influence (a web form etc.) and passes it tomail()/rcpt()(directly, or viasendmail()/send()without aMessageobject), the attacker can:The address only needs to reach
mail()/rcpt()/vrfy()/expn(); no attacker control over the SMTP server is required.Vulnerable versions
Affected version:
aiosmtplib5.1.0 (latest at time of report) and all earlier releases.Credit
Reported by tonghuaroot.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
CVE-2026-53533 / GHSA-v3q9-hj7j-63hq / PYSEC-2026-2338
More information
Details
Summary
aiosmtplib'sSMTP.mail(),SMTP.rcpt(),SMTP.vrfy()andSMTP.expn()send the caller-supplied email address to the server without rejecting embedded CR/LF (\r\n) bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes after the CRLF are framed by the server as one or more additional, standalone SMTP command lines. A caller that passes an attacker-influenced sender or recipient address intomail()/rcpt()(orvrfy()/expn()) therefore allows SMTP command injection (CWE-93 / CWE-77): the attacker can smuggle arbitrary SMTP verbs such asMAIL FROM,RCPT TO,RSET,DATA, orAUTHinto the session. Injected commands will cause theSMTPinstance to hang, but all commands required to complete the envelope could be sent in one address string.The
SMTP.sendmail()command will pass sender and recipient addresses verbatim through toSMTP.mail()&SMTP.rcpt(), and so is also vulnerable.SMTP.send_message()is not affected.Impact
Severity: medium. Type: SMTP protocol command injection (CWE-93 — Improper Neutralization of CRLF Sequences; CWE-77 — Command Injection).
When an application built on
aiosmtplibderives the envelope sender or any recipient from data an attacker can influence (a web form etc.) and passes it tomail()/rcpt()(directly, or viasendmail()/send()without aMessageobject), the attacker can:The address only needs to reach
mail()/rcpt()/vrfy()/expn(); no attacker control over the SMTP server is required.Vulnerable versions
Affected version:
aiosmtplib5.1.0 (latest at time of report) and all earlier releases.Credit
Reported by tonghuaroot.
Severity
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:NReferences
This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).
Release Notes
cole/aiosmtplib (aiosmtplib)
v5.1.1Compare Source
0x00-0x1Fand DEL0x7F, including CR, LF, and NUL) in SMTP command arguments, preventingcommand injection via input passed to
mail(),rcpt(),vrfy(),expn()orsendmail(). Such input now raisesValueErrorbeforeanything is written to the connection.
More details: GHSA-v3q9-hj7j-63hq
Thanks to @tonghuaroot for the report.
SMTP.quit()no longer hangs until the read timeout when thepeer drops the transport with an exception after
QUITis sent butbefore the 221 reply is parsed (e.g. AWS SES closing TLS without
close_notify).v5.1.0Compare Source
v5.0.0Compare Source
v4.0.2Compare Source
(thanks @oliverlambson)
v4.0.1Compare Source
v4.0.0Compare Source
socket.getfqdnin thread to avoid blocking event loopif
local_hostnamenot provided (thanks @Raidzin)hostnameanduse_tls=Truev3.0.2Compare Source
v3.0.1Compare Source
after successful connection close and garbage collection.
v3.0.0Compare Source
are keyword only.
source_addressas a string argument (deprecated in 2.0)is now an error.
source_addresstakes a (addr, port) tuple that is used asthe
local_addrparam ofasyncio.create_connection, allowing for bindingto a specific IP. The
local_hostnameargument takes the value to be sent tothe server with the EHLO/HELO message (which is what
source_addresswas usedfor prior to 2.0).
connecteverywhere,only for the initial connection (credit @wombatonfire)
protocol
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.