VYPR
← All advisories
Critical severityNVD Advisory· Published Aug 8, 2021· Updated Aug 4, 2024

CVE-2021-38189

CVE-2021-38189

Description

An issue was discovered in the lettre crate before 0.9.6 for Rust. In an e-mail message body, an attacker can place a . character after two sequences and then inject arbitrary SMTP commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SMTP command injection in lettre crate before 0.9.6 allows attackers to inject arbitrary SMTP commands via a crafted message body with double CRLF sequences.

Vulnerability

The lettre crate for Rust (versions prior to 0.9.6 and prior to 0.10.0-rc.3) contains a SMTP command injection vulnerability in its ClientCodec module. The code that escapes lines starting with a period (.) did not properly handle multiple consecutive ` sequences. By placing a period after two ` sequences in the email body, an attacker could break out of the message data and inject arbitrary SMTP commands. [2][3][4]

Exploitation

An attacker can send a crafted email message containing a body that includes two consecutive `` sequences followed by a period and then arbitrary SMTP commands. No special authentication or network position is required beyond being able to send an email via an application using the vulnerable lettre versions. The attacker controls the message body content, and the injection occurs during the SMTP transmission when the library encodes the message. [2][4]

Impact

Successful exploitation allows the attacker to inject arbitrary SMTP commands into the SMTP session, potentially enabling actions such as sending additional emails, bypassing authentication, or performing other SMTP-level operations depending on the server's capabilities. This is a high-severity issue with CVSS score not specified but categorized as a format injection vulnerability. [3][4]

Mitigation

The vulnerability is fixed in lettre versions 0.9.6 and 0.10.0-rc.3. Users should upgrade to these or later versions. For versions before 0.7.0, the issue may not apply as per advisory. No workaround is available other than patching. [3][4]

References
  1. fix(transport-smtp): Fix transparency codec by amousset · Pull Request #627 · lettre/lettre
  2. SMTP command injection in body › RustSec Advisory Database
  3. SMTP command injection

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lettrecrates.io
>= 0.7.0, < 0.9.60.9.6

Affected products

2

Patches

1
8bfc20506cc5

fix(transport-smtp): Fix transparency codec - 0.9.x (#628)

https://github.com/lettre/lettreAlexis MoussetMay 22, 2021via ghsa
commit
1 file changed · +11 2
  • lettre/src/smtp/client/mod.rs+11 2 modified
    @@ -51,7 +51,15 @@ impl ClientCodec {
                     match self.escape_count {
                         0 => self.escape_count = if *byte == b'\r' { 1 } else { 0 },
                         1 => self.escape_count = if *byte == b'\n' { 2 } else { 0 },
-                        2 => self.escape_count = if *byte == b'.' { 3 } else { 0 },
+                        2 => {
+                            self.escape_count = if *byte == b'.' {
+                                3
+                            } else if *byte == b'\r' {
+                                1
+                            } else {
+                                0
+                            }
+                        }
                         _ => unreachable!(),
                     }
                     if self.escape_count == 3 {
@@ -286,6 +294,7 @@ mod test {
         let mut buf: Vec<u8> = vec![];
 
         assert!(codec.encode(b"test\r\n", &mut buf).is_ok());
+        assert!(codec.encode(b"test\r\n\r\n", &mut buf).is_ok());
         assert!(codec.encode(b".\r\n", &mut buf).is_ok());
         assert!(codec.encode(b"\r\ntest", &mut buf).is_ok());
         assert!(codec.encode(b"te\r\n.\r\nst", &mut buf).is_ok());
@@ -296,7 +305,7 @@ mod test {
         assert!(codec.encode(b"test", &mut buf).is_ok());
         assert_eq!(
             String::from_utf8(buf).unwrap(),
-            "test\r\n..\r\n\r\ntestte\r\n..\r\nsttesttest.test\n.test\ntest"
+            "test\r\ntest\r\n\r\n..\r\n\r\ntestte\r\n..\r\nsttesttest.test\n.test\ntest"
         );
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.