Magnesium-PHP Base.php formatEmailString injection
Description
Magnesium-PHP up to 0.3.0 contains an injection vulnerability in formatEmailString that allows breaking recipient strings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magnesium-PHP up to 0.3.0 contains an injection vulnerability in formatEmailString that allows breaking recipient strings.
What the vulnerability is
CVE-2017-20187 describes an injection vulnerability in the formatEmailString function of the file src/Magnesium/Message/Base.php in the Magnesium-PHP library, versions up to 0.3.0 [1]. The function does not sanitize the email or name arguments, allowing a crafted input containing characters such as <, >, @, or , to break the intended structure of email address strings [2]. The commit that patches the issue [2] explicitly notes that user-controlled names or emails could break the "To" header when using the batch message feature, potentially leading to unintended disclosure or misdirection of emails.
How it is exploited
An attacker who can control either the email address or the display name (e.g., through user registration or profile fields) can inject special characters that alter the format of the email header. For example, a name like "no1@example.com, Not Okay <no2@example.com>" would cause Mailgun to interpret multiple recipients, effectively injecting additional addresses into the batch [2]. No authentication is required beyond the ability to supply the vulnerable input to the library; the attack surface is the email composition feature of an application using Magnesium-PHP.
Impact
Successful exploitation allows an attacker to manipulate the recipient list of outgoing emails. This could lead to unauthorized disclosure of email addresses to unintended parties, or cause emails to be sent to attacker-controlled addresses, bypassing the application's intended recipient restrictions. The impact is limited to breaching confidentiality and breaking expected email behavior, but does not allow code execution or direct server compromise.
Mitigation
The issue is fixed in version 0.3.1, which introduces the removeToStringBreakingSymbols method that strips problematic characters from names and emails [2][3]. The maintainer recommends upgrading to 0.3.1 or later [1]. However, this CVE is marked "UNSUPPORTED WHEN ASSIGNED" because the library's maintenance status is unknown; users should consider migrating to a supported alternative if no official support is available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
floriangaerber/magnesiumPackagist | < 0.3.1 | 0.3.1 |
Affected products
2- Magnesium-PHP/Magnesium-PHPdescription
Patches
1500d340e1f64Fix exploit of user's names/emails breaking "To"
1 file changed · +29 −2
src/Magnesium/Message/Base.php+29 −2 modified@@ -227,8 +227,35 @@ public function getFromString() protected function formatEmailString(string $email, string $name = null) { return $name - ? sprintf('%s <%s>', $name, $email) - : $email; + ? sprintf( + '%s <%s>', + $this->removeToStringBreakingSymbols($name, false), + $this->removeToStringBreakingSymbols($email, true)) + : $this->removeToStringBreakingSymbols($email, true); + } + + /** + * + * Should a user have chosen a name like "no1@example.com, Not Okay <no2@example.com>, Sherbert", + * Mailgun would accept the following to: "user@example.com, user2@example.com, no1@example.com, Not Okay <no2@example.com>, Sherbert <hello@example.com>" + * and would send it accordingly, which is unwanted behavior. + * Removing only "," breaks the To-string, sending the message to + * "user@example.com, user2@example.com, no1@example.com Not Okay <no2@example.com> Sherbert" hello@example.com, + * revealing email addresses of other users. + * Removing only either of "<,>" or "@," breaks the string the same way. + * Only removing "<>@," from the string prevents breaking (as far as I know). + * + * Also use an input validation library like Respect/Validation or find + * another way to prevent emails and names from containing "<>,"! + * + * @param string $string + * @param bool $isEmail + * + * @return string + */ + protected function removeToStringBreakingSymbols(string $string, bool $isEmail) + { + return str_replace($isEmail ? ['>', '<', ','] : ['>', '<', ',', '@'], '', $string); } /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/floriangaerber/Magnesium-PHP/commit/500d340e1f6421007413cc08a8383475221c2604ghsapatchWEB
- github.com/floriangaerber/Magnesium-PHP/releases/tag/v0.3.1ghsapatchWEB
- github.com/advisories/GHSA-8pp6-5qpw-85g3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-20187ghsaADVISORY
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.