VYPR

CWE-147

Improper Neutralization of Input Terminators

VariantDraft

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component.

For example, a "." in SMTP signifies the end of mail message data, whereas a null character can be used for the end of a string.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-460

CVEs mapped to this weakness (3)

  • CVE-2024-52505MedNov 14, 2024
    risk 0.28cvss 5.4epss 0.00

    matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The provisioning API of the matrix-appservice-irc bridge up to version 3.0.2 contains a vulnerability which can lead to arbitrary IRC command execution as the bridge IRC bot. The vulnerability has…

  • CVE-2025-7962Jul 21, 2025
    risk 0.00cvss epss 0.01

    In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.

  • CVE-2021-38189Aug 8, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the lettre crate before 0.9.6 for Rust. In an e-mail message body, an attacker can place a . character after two sequences and then inject arbitrary SMTP commands.