Skip to content

fix(deps): update dependency aiosmtplib to v5 [security]#1883

Open
oep-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-aiosmtplib-vulnerability
Open

fix(deps): update dependency aiosmtplib to v5 [security]#1883
oep-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-aiosmtplib-vulnerability

Conversation

@oep-renovate

@oep-renovate oep-renovate Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
aiosmtplib (changelog) ==2.0.2==5.1.1 age confidence

aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address

CVE-2026-53533 / GHSA-v3q9-hj7j-63hq / PYSEC-2026-2338

More information

Details

Summary

aiosmtplib's SMTP.mail(), SMTP.rcpt(), SMTP.vrfy() and SMTP.expn() send the caller-supplied email address to the server without rejecting embedded CR/LF (\r\n) bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes after the CRLF are framed by the server as one or more additional, standalone SMTP command lines. A caller that passes an attacker-influenced sender or recipient address into mail()/rcpt() (or vrfy()/expn()) therefore allows SMTP command injection (CWE-93 / CWE-77): the attacker can smuggle arbitrary SMTP verbs such as MAIL FROM, RCPT TO, RSET, DATA, or AUTH into the session. Injected commands will cause the SMTP instance to hang, but all commands required to complete the envelope could be sent in one address string.

The SMTP.sendmail() command will pass sender and recipient addresses verbatim through to SMTP.mail() & SMTP.rcpt(), and so is also vulnerable. SMTP.send_message() is not affected.

Impact

Severity: medium. Type: SMTP protocol command injection (CWE-93 — Improper Neutralization of CRLF Sequences; CWE-77 — Command Injection).

When an application built on aiosmtplib derives the envelope sender or any recipient from data an attacker can influence (a web form etc.) and passes it to mail()/rcpt() (directly, or via sendmail()/send() without a Message object), the attacker can:

  • desynchronize the command/response pipeline and cause the aiosmtplib client to hang, resulting in a possible denial of service
  • inject multiple commands in one address to send an arbitrary message

The address only needs to reach mail()/rcpt()/vrfy()/expn(); no attacker control over the SMTP server is required.

Vulnerable versions

Affected version: aiosmtplib 5.1.0 (latest at time of report) and all earlier releases.

Credit

Reported by tonghuaroot.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address

CVE-2026-53533 / GHSA-v3q9-hj7j-63hq / PYSEC-2026-2338

More information

Details

Summary

aiosmtplib's SMTP.mail(), SMTP.rcpt(), SMTP.vrfy() and SMTP.expn() send the caller-supplied email address to the server without rejecting embedded CR/LF (\r\n) bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes after the CRLF are framed by the server as one or more additional, standalone SMTP command lines. A caller that passes an attacker-influenced sender or recipient address into mail()/rcpt() (or vrfy()/expn()) therefore allows SMTP command injection (CWE-93 / CWE-77): the attacker can smuggle arbitrary SMTP verbs such as MAIL FROM, RCPT TO, RSET, DATA, or AUTH into the session. Injected commands will cause the SMTP instance to hang, but all commands required to complete the envelope could be sent in one address string.

The SMTP.sendmail() command will pass sender and recipient addresses verbatim through to SMTP.mail() & SMTP.rcpt(), and so is also vulnerable. SMTP.send_message() is not affected.

Impact

Severity: medium. Type: SMTP protocol command injection (CWE-93 — Improper Neutralization of CRLF Sequences; CWE-77 — Command Injection).

When an application built on aiosmtplib derives the envelope sender or any recipient from data an attacker can influence (a web form etc.) and passes it to mail()/rcpt() (directly, or via sendmail()/send() without a Message object), the attacker can:

  • desynchronize the command/response pipeline and cause the aiosmtplib client to hang, resulting in a possible denial of service
  • inject multiple commands in one address to send an arbitrary message

The address only needs to reach mail()/rcpt()/vrfy()/expn(); no attacker control over the SMTP server is required.

Vulnerable versions

Affected version: aiosmtplib 5.1.0 (latest at time of report) and all earlier releases.

Credit

Reported by tonghuaroot.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:H/SA:N

References

This data is provided by OSV and the PyPI Advisory Database (CC-BY 4.0).


Release Notes

cole/aiosmtplib (aiosmtplib)

v5.1.1

Compare Source

  • Security: Reject control characters (the C0 range 0x00-0x1F and DEL
    0x7F, including CR, LF, and NUL) in SMTP command arguments, preventing
    command injection via input passed to mail(), rcpt(), vrfy(),
    expn() or sendmail(). Such input now raises ValueError before
    anything is written to the connection.
    More details: GHSA-v3q9-hj7j-63hq
    Thanks to @​tonghuaroot for the report.
  • Bugfix: SMTP.quit() no longer hangs until the read timeout when the
    peer drops the transport with an exception after QUIT is sent but
    before the 221 reply is parsed (e.g. AWS SES closing TLS without
    close_notify).

v5.1.0

Compare Source

  • Feature: Add XOAUTH2 authentication support

v5.0.0

Compare Source

  • BREAKING: Drop Python 3.9 support

v4.0.2

Compare Source

  • Bugfix: correct aexit signature to comply with async context manager protocol
    (thanks @​oliverlambson)

v4.0.1

Compare Source

  • Bugfix: Always clear the connect lock on connection lost, allowing client reconnect

v4.0.0

Compare Source

  • BREAKING: Drop Python 3.8 support
  • Bugfix: Run socket.getfqdn in thread to avoid blocking event loop
    if local_hostname not provided (thanks @​Raidzin)
  • Bugfix: Clear connect lock on connection lost, allowing client reconnect
  • Bugfix: Allow socket connections to use TLS by providing hostname and
    use_tls=True

v3.0.2

Compare Source

  • Bugfix: Type of "send" is partially unknown with pyright
  • Bugfix: Fix asyncio deadlock trying to reconnect after error (thanks @​Voldemat)
  • Change: Switched from Poetry to build/hatch/twine for packaging.

v3.0.1

Compare Source

  • Bugfix: 'Future exception was never retrieved' warning in SMTPProtocol
    after successful connection close and garbage collection.
  • Cleanup: Updated FlowControlMixin logic from stdlib

v3.0.0

Compare Source

  • BREAKING: Drop Python 3.7 support.
  • BREAKING: Positional arguments are now positional only, and keyword arguments
    are keyword only.
  • BREAKING: Passing source_address as a string argument (deprecated in 2.0)
    is now an error. source_address takes a (addr, port) tuple that is used as
    the local_addr param of asyncio.create_connection, allowing for binding
    to a specific IP. The local_hostname argument takes the value to be sent to
    the server with the EHLO/HELO message (which is what source_address was used
    for prior to 2.0).
  • Change: don't use timeout value passed to connect everywhere,
    only for the initial connection (credit @​wombatonfire)
  • Change: removed unnecessary connection lost callback
  • Change: revised handling for 'Future exception was never retrieved' warnings in
    protocol

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Signed-off-by: oep-renovate[bot] <212772560+oep-renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants