MimeKit: CRLF Injection in Quoted Local-Part Enables SMTP Command Injection and Email Forgery
Description
MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by , making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CRLF injection in MimeKit's quoted local-part handling enables SMTP command injection and header injection; patched in 4.15.1.
Vulnerability
Overview
MimeKit, a .NET MIME library, prior to version 4.15.1 contains a CRLF injection vulnerability in its handling of quoted-string local-parts in SMTP envelope addresses. According to the advisory [2], the library accepts carriage return (CR) and line feed (LF) characters inside quoted local-parts, which violates RFC 5321. The RFC explicitly prohibits control characters in the qtextSMTP and quoted-pairSMTP ranges, making this a non-compliant behavior that opens the door to injection attacks.
Exploitation
The vulnerability becomes exploitable when an attacker can influence a MailboxAddress value (used for MAIL FROM or RCPT TO) that is later serialized into an SMTP session [3]. By embedding \r\n sequences into the local-part, the attacker can inject arbitrary SMTP commands—such as additional RCPT TO, DATA, or RSET commands—or inject mail headers. No authentication is required if the application accepts user-supplied email addresses and passes them to MimeKit for serialization.
Impact
Successful exploitation allows an attacker to perform SMTP command injection, potentially leading to email forgery, sending of arbitrary messages, or manipulation of the SMTP session. The impact depends on how the application uses MailKit/MimeKit to construct and send messages, but the advisory [2] notes that both SMTP command injection and mail header injection are possible.
Mitigation
The issue has been patched in MimeKit version 4.15.1 [2]. Users are strongly advised to upgrade to this version or later. No workarounds are mentioned in the advisory, so updating the library is the recommended course of action.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
MimeKitNuGet | < 4.15.1 | 4.15.1 |
Affected products
2- jstedfast/MimeKitv5Range: < 4.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-g7hc-96xr-gvvxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30227ghsaADVISORY
- github.com/jstedfast/MimeKit/security/advisories/GHSA-g7hc-96xr-gvvxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.