CVE-2020-28247
Description
The lettre library through 0.10.0-alpha for Rust allows arbitrary sendmail option injection via transport/sendmail/mod.rs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lettre Rust email library through 0.10.0-alpha allows sendmail argument injection via forged email addresses, potentially enabling arbitrary file writes.
CVE-2020-28247 concerns an argument injection vulnerability in the sendmail transport of the Rust lettre email library (all versions through 0.10.0-alpha).
The root cause lies in transport/sendmail/mod.rs, where the library builds the sendmail command-line invocation by directly interpolating email addresses as arguments. Instead of properly sanitizing or separating addresses from sendmail options, the code allows a crafted to address to inject arbitrary arguments into the sendmail command. This is a classic argument injection flaw, where user-controlled input (the recipient address) is passed unsafely to an external command.
Exploitation
An attacker can exploit this by sending an email to a specially malformed address, such as one containing command-line flags preceded by a dash. For example, depending on the sendmail implementation (original sendmail, Postfix, Exim, etc.), it may be possible to use flags like -O (set option) or -X (log to file) to redirect email content or logging to an arbitrary file. The attack requires no authentication, as the vulnerable option-sending occurs before any credential check. A remote attacker who can send an email through an application using the vulnerable SendmailTransport can trigger the injection.
Impact
Successful exploitation allows an attacker to write arbitrary data (the email body, headers, or log output) to a file of the attacker's choice on the system. The advisory lists categories as code-execution and file-disclosure, but the primary practical impact is file write, which could lead to remote code execution if the attacker can write to a location that affects program execution or configuration. The CVSS score is 5.3 (Medium) due to network attack vector, low attack complexity, and no privileges required, though confidentiality impact is listed as None.
Mitigation
The issue is patched starting from version 0.10.0-alpha.4, as well as in selected older branches (>=0.9.5, >=0.8.4, >=0.7.1). Applications using earlier versions should upgrade immediately. The fix involved properly escaping or separating arguments to the sendmail command. As of the latest releases, the library also supports alternative transports (SMTP) that are not vulnerable to this injection.
[1][2][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lettrecrates.io | >= 0.9.0, < 0.9.5 | 0.9.5 |
lettrecrates.io | >= 0.8.0, < 0.8.4 | 0.8.4 |
lettrecrates.io | >= 0.7.0, < 0.7.1 | 0.7.1 |
Affected products
2- Rust/lettre librarydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-vc2p-r46x-m3vxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-28247ghsaADVISORY
- github.com/RustSec/advisory-db/pull/478/filesghsax_refsource_MISCWEB
- github.com/lettre/lettre/pull/508/commits/bbe7cc5381c5380b54fb8bbb4f77a3725917ff0bghsaWEB
- github.com/lettre/lettre/security/advisories/GHSA-vc2p-r46x-m3vxghsaWEB
- rustsec.org/advisories/RUSTSEC-2020-0069.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.