Moderate severityNVD Advisory· Published Jul 21, 2025· Updated Nov 4, 2025
CVE-2025-7962
CVE-2025-7962
Description
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.angus:smtpMaven | < 2.0.4 | 2.0.4 |
com.sun.mail:jakarta.mailMaven | < 1.6.8 | 1.6.8 |
com.sun.mail:jakarta.mailMaven | >= 2.0.0, < 2.0.2 | 2.0.2 |
Affected products
69- osv-coords68 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/chainguard/apicurio-registrypkg:apk/chainguard/apicurio-registry-nginx-configpkg:apk/chainguard/apicurio-registry-uipkg:apk/chainguard/dependency-trackpkg:apk/chainguard/dependency-track-bundledpkg:apk/chainguard/elasticsearch-7pkg:apk/chainguard/elasticsearch-7-iamguardedpkg:apk/chainguard/elasticsearch-8.17pkg:apk/chainguard/elasticsearch-8.19pkg:apk/chainguard/elasticsearch-8.19-iamguardedpkg:apk/chainguard/elasticsearch-fips-8.17pkg:apk/chainguard/elasticsearch-fips-8.17-bitnamipkg:apk/chainguard/elasticsearch-fips-8.19pkg:apk/chainguard/geoserver-2.27pkg:apk/chainguard/geoserver-2.28pkg:apk/chainguard/jenkins-2-openjdk-21pkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-bitnami-fipspkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-config-clipkg:apk/chainguard/keycloak-config-cli-bitnami-compatpkg:apk/chainguard/keycloak-config-cli-compatpkg:apk/chainguard/keycloak-config-cli-iamguarded-compatpkg:apk/chainguard/keycloak-fipspkg:apk/chainguard/keycloak-fips-bitnami-compatpkg:apk/chainguard/keycloak-fips-policy-140-2pkg:apk/chainguard/keycloak-fips-policy-140-3pkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/chainguard/keycloak-iamguarded-fipspkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/wildflypkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-17-compatpkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/wildfly-openjdk-21-compatpkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-toolkitpkg:apk/wolfi/apicurio-registrypkg:apk/wolfi/apicurio-registry-nginx-configpkg:apk/wolfi/apicurio-registry-uipkg:apk/wolfi/dependency-trackpkg:apk/wolfi/dependency-track-bundledpkg:apk/wolfi/jenkins-2-openjdk-21pkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-config-clipkg:apk/wolfi/keycloak-config-cli-bitnami-compatpkg:apk/wolfi/keycloak-config-cli-compatpkg:apk/wolfi/keycloak-config-cli-iamguarded-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/wildflypkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-17-compatpkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-21-compatpkg:maven/com.sun.mail/jakarta.mailpkg:maven/org.eclipse.angus/smtppkg:rpm/opensuse/javamail&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/javamail&distro=openSUSE%20Tumbleweedpkg:rpm/suse/javamail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/javamail&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7
< 2.5.0-r2+ 67 more
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 3.0.11-r1
- (no CPE)range: < 3.0.11-r1
- (no CPE)range: < 3.0.11-r1
- (no CPE)range: < 4.13.3-r1
- (no CPE)range: < 4.13.3-r1
- (no CPE)range: < 7.17.29-r12
- (no CPE)range: < 7.17.29-r12
- (no CPE)range: < 8.17.10-r21
- (no CPE)range: < 8.19.14-r2
- (no CPE)range: < 8.19.14-r2
- (no CPE)range: < 8.17.10-r16
- (no CPE)range: < 8.17.10-r16
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 2.27.5-r7
- (no CPE)range: < 2.28.3-r5
- (no CPE)range: < 2.544-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 6.4.0-r48
- (no CPE)range: < 6.4.0-r48
- (no CPE)range: < 6.4.0-r48
- (no CPE)range: < 6.4.0-r48
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 4.3.1.1-r4
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 2.5.0-r2
- (no CPE)range: < 3.0.11-r1
- (no CPE)range: < 3.0.11-r1
- (no CPE)range: < 3.0.11-r1
- (no CPE)range: < 4.13.3-r1
- (no CPE)range: < 4.13.3-r1
- (no CPE)range: < 2.544-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 6.4.0-r48
- (no CPE)range: < 6.4.0-r48
- (no CPE)range: < 6.4.0-r48
- (no CPE)range: < 6.4.0-r48
- (no CPE)range: < 26.3.2-r1
- (no CPE)range: < 4.3.1.1-r4
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 36.0.1-r8
- (no CPE)range: < 1.6.8
- (no CPE)range: < 2.0.4
- (no CPE)range: < 1.6.2-150200.3.7.1
- (no CPE)range: < 1.6.2-3.1
- (no CPE)range: < 1.6.2-150200.3.7.1
- (no CPE)range: < 1.6.2-150200.3.7.1
- Eclipse Foundation/Jakarta Mailv5Range: 1.6.8
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-9342-92gg-6v29ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-7962ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/09/03/4ghsaWEB
- github.com/eclipse-ee4j/angus-mail/commit/269099b652a0a5c2fa140f1296a18f0fbbea0d44ghsaWEB
- github.com/jakartaee/mail-api/issues/765ghsaWEB
- github.com/jakartaee/mail-api/pull/760ghsaWEB
- gitlab.eclipse.org/security/cve-assignement/-/issues/67ghsaWEB
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/290ghsaWEB
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/290ghsaWEB
News mentions
1- Jenkins Security Advisory 2025-09-03Jenkins Security Advisories · Sep 3, 2025