Inclusion of Functionality from Untrusted Control Sphere in PHPMailer/PHPMailer
Description
PHPMailer 6.4.1 and earlier allow a globally defined 'php' function to override the built-in email address validator, enabling untrusted code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHPMailer 6.4.1 and earlier allow a globally defined 'php' function to override the built-in email address validator, enabling untrusted code execution.
Vulnerability
PHPMailer versions 6.4.1 and earlier contain a flaw in the validateAddress() method. When the $patternselect parameter is set to 'php' (the default, defined by PHPMailer::$validator), the library looks up a validator function by name in the global namespace. If an attacker has already injected a function named php into the global scope (via other means, such as a compromised autoloader or malicious code already present in the host project), PHPMailer will call that untrusted function instead of its own built-in validator. This is mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names [1][4].
Exploitation
Exploitation requires that an attacker has already placed a function named php in the global PHP namespace of the target project (e.g., through a separate code injection vulnerability, a malicious Composer package, or a compromised autoloader). No additional authentication or network access is needed to trigger the vulnerable code path once the malicious function exists. When any code calls PHPMailer::validateAddress() with the default $patternselect setting, the library will resolve the validator name 'php' to the globally defined function and execute it [2][4].
Impact
Successful exploitation allows an attacker to execute arbitrary PHP code with the privileges of the calling process. The injected php function can perform any action, including reading or modifying files, exfiltrating data, or establishing persistence. The compromise is at the privilege level of the application using PHPMailer, which could lead to full system compromise depending on the application's permissions [1][4].
Mitigation
The fix was released in PHPMailer version 6.5.0 on 2021-06-17, which disallows using simple strings as validator function names, thus preventing the namespace conflict. Users should upgrade to PHPMailer 6.5.0 or later. No workaround is available for earlier versions other than updating. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmailer/phpmailerPackagist | < 6.5.0 | 6.5.0 |
Affected products
3- osv-coords2 versions
< 6.4.2+ 1 more
- (no CPE)range: < 6.4.2
- (no CPE)range: < 6.5.0
- Range: unspecified
Patches
145f3c18dc6a2Deny string-based callables altogether
3 files changed · +7 −10
SECURITY.md+1 −1 modified@@ -2,7 +2,7 @@ Please disclose any security issues or vulnerabilities found through [Tidelift's coordinated disclosure system](https://tidelift.com/security) or to the maintainers privately. -PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the `$patternselect` parameter to `validateAddress()` is set to `'php'` (the default, defined by `static::$validator`), and the global namespace contains a function called `php`, it will be called in preference to the built-in validator of the same name. This is patched in PHPMailer 6.5.0 by denying the use of callables with the same names as built-in validators. Reported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/). Recorded as [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603). +PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the `$patternselect` parameter to `validateAddress()` is set to `'php'` (the default, defined by `static::$validator`), and the global namespace contains a function called `php`, it will be called in preference to the built-in validator of the same name. This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break. Reported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/). Recorded as [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603). PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier CVE-2018-19296 object injection vulnerability as a result of [a fix for Windows UNC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9). Recorded as [CVE-2020-36326](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi Vidyan via Tidelift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes in local path contexts.
src/PHPMailer.php+2 −6 modified@@ -1337,12 +1337,8 @@ public static function validateAddress($address, $patternselect = null) if (null === $patternselect) { $patternselect = static::$validator; } - //Don't allow overriding built-in validators with callables - if ( - is_callable($patternselect) && - //It's callable and not a string, or it's a string callable that's not a built-in pattern - (!is_string($patternselect) || !in_array(strtolower($patternselect), ['php', 'pcre', 'pcre8', 'html5'])) - ) { + //Don't allow strings as callables, see SECURITY.md and CVE-2021-3603 + if (is_callable($patternselect) && !is_string($patternselect)) { return call_user_func($patternselect, $address); } //Reject line breaks in addresses; it's valid RFC5322, but not RFC5321
test/PHPMailerTest.php+4 −3 modified@@ -733,13 +733,14 @@ function ($address) { 'PHP validator not behaving as expected' ); - //Test denying override of built-in validator names + //Test denying function name callables as validators //See SECURITY.md and CVE-2021-3603 //If a `php` function defined in validators.php successfully overrides this built-in validator name, //this would return false – and we don't want to allow that self::assertTrue(PHPMailer::validateAddress('test@example.com', 'php')); - //Check a non-matching validator function, which should be permitted, and return false in this case - self::assertFalse(PHPMailer::validateAddress('test@example.com', 'phpx')); + //Check that a non-existent validator name falls back to a built-in validator + //and does not call a global function with that name + self::assertTrue(PHPMailer::validateAddress('test@example.com', 'phpx')); } /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-77mr-wc79-m8j3ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYM/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2021-3603ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2021-3603.yamlghsaWEB
- github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3ghsax_refsource_MISCWEB
- github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0ghsaWEB
- github.com/PHPMailer/PHPMailer/security/advisories/GHSA-77mr-wc79-m8j3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YRMWGA4VTMXFB22KICMB7YMFZNFV3EJghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FJYSOFCUBS67J3TKR74SD3C454N7VTYMghsaWEB
- web.nvd.nist.gov/view/vuln/detailghsaWEB
- www.huntr.dev/bounties/1-PHPMailer/PHPMailerghsaWEB
- www.huntr.dev/bounties/1-PHPMailer/PHPMailer/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.