Medium severity6.1NVD Advisory· Published Jun 12, 2017· Updated May 13, 2026
CVE-2015-9097
CVE-2015-9097
Description
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mailRubyGems | < 2.5.5 | 2.5.5 |
Affected products
1Patches
172befdc4dab3https://github.com/mikel/mailvia ghsa
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83nvdExploitThird Party AdvisoryWEB
- openwall.com/lists/oss-security/2015/12/11/3nvdMailing ListThird Party AdvisoryWEB
- www.mbsd.jp/Whitepaper/smtpi.pdfnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-q86f-fmqf-qrf6ghsaADVISORY
- github.com/mikel/mail/pull/1097nvdIssue TrackingThird Party AdvisoryWEB
- github.com/rubysec/ruby-advisory-db/issues/215nvdIssue TrackingThird Party AdvisoryWEB
- hackerone.com/reports/137631nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-9097ghsaADVISORY
- rubysec.com/advisories/mail-OSVDB-131677nvdIssue TrackingVendor AdvisoryWEB
News mentions
0No linked articles in our index yet.