In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade aiosmtplib to version 5.1.1 or higher.
aiosmtplib is an aiosmtplib is an asynchronous SMTP client for use with asyncio.
Affected versions of this package are vulnerable to CRLF Injection via the SMTPProtocol.execute_command() path in src/aiosmtplib/protocol.py. An attacker can inject extra SMTP verbs by supplying a sender or recipient address containing CR/LF bytes to mail(), rcpt(), vrfy(), expn(), or sendmail(). The address is written verbatim onto the SMTP control connection, which lets the attacker desynchronize the session, hang the client, and smuggle arbitrary commands into the envelope processing path, putting outgoing mail transactions at risk.
Notes
SMTP.send_message() is explicitly out of scope for this issue; the vulnerable path is the envelope-command APIs that forward raw address strings into the command-sending layer, not message-header serialization.mail(), rcpt(), vrfy(), expn(), or sendmail() are not exposed.