CRLF Injection Affecting aiosmtplib package, versions [,5.1.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about CRLF Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-AIOSMTPLIB-17889817
  • published8 Jul 2026
  • disclosed7 Jul 2026
  • credittonghuaroot

Introduced: 7 Jul 2026

NewCVE-2026-53533  (opens in a new tab)
CWE-77  (opens in a new tab)
CWE-93  (opens in a new tab)

How to fix?

Upgrade aiosmtplib to version 5.1.1 or higher.

Overview

aiosmtplib is an aiosmtplib is an asynchronous SMTP client for use with asyncio.

Affected versions of this package are vulnerable to CRLF Injection via the SMTPProtocol.execute_command() path in src/aiosmtplib/protocol.py. An attacker can inject extra SMTP verbs by supplying a sender or recipient address containing CR/LF bytes to mail(), rcpt(), vrfy(), expn(), or sendmail(). The address is written verbatim onto the SMTP control connection, which lets the attacker desynchronize the session, hang the client, and smuggle arbitrary commands into the envelope processing path, putting outgoing mail transactions at risk.

Notes

  • SMTP.send_message() is explicitly out of scope for this issue; the vulnerable path is the envelope-command APIs that forward raw address strings into the command-sending layer, not message-header serialization.
  • The affected behavior is confined to the SMTP client’s low-level command arguments path, so deployments that only use higher-level helpers which never pass attacker-controlled envelope addresses into mail(), rcpt(), vrfy(), expn(), or sendmail() are not exposed.

CVSS Base Scores

version 4.0
version 3.1