These docs are for v1.1. Click to read the latest docs for v1.2.

Email Header Injection

Severity: Medium
Test name: Email Header Injection

Some web applications allow users to send email messages via contact forms to defined recipients. In most cases, such contact form scripts set headers. Afterwards, the headers are converted into SMTP commands, which are then processed by the SMTP server.

Email Header Injection allows an attacker to insert additional malicious headers into the email message via unsafe user input. As a result, these headers will be converted into SMTP commands and processed by the SMTP server.


This vulnerability may lead to:

  • Sending spam emails.
  • Phishing and spoofing attacks. The recipient is made to believe that the email is legitimate. The email usually redirects the victim to a malicious website, which then steals their credentials or infects their computer with malware (via a drive-by-download).
  • Denial of Service if the attacker sends a huge amount of emails, so the SMTP server can be overloaded.
Example of a spam email
  1. Let’s imagine the following code is used on the server side for sending an email message:
if(!empty($_POST['name'])) {
  $name = $_POST['name'];
  $email = $_POST['email'];
  $message = $_POST['message'];
  $subject = 'Contact form request';
  #: Set headers
  $headers = "From: $name \n" .
  "Reply-To: $email";
  mail('root@localhost', $subject, $message, $headers); 
  1. Expected request example:
POST /contact.php HTTP/1.1
Host: www.{your_web_site}.com
  name=Test User
  [email protected]
  message=Hello! This is a test message.
  1. An attacker can send the following request:
POST /contact.php HTTP/1.1
Host: www.{your_web_site}.com
  name=Best Seller\nbcc: [email protected]
  [email protected]
  message=Buy my awesome product!
  1. As a result, the attacker can send a large number of messages anonymously. The attacker may also send phishing emails, where the recipient believes that these messages are originating from a trusted source (your website).

The issue can be found in the source code on the server side.

Remedy suggestions
  • Sanitize user input with special functions according to your programming language. In particular, input containing newlines and carriage returns should be rejected.
  • Use certain correct types for supplied user input such as string, float or int. If your application expects an email address, it should be validated with Email pattern.
  • Alternatively, consider switching to an email library that automatically prevents such attacks. Use the latest version and upgrade your email library periodically.
  • CWE-20
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N