保護DataHogo
Security Encyclopedia/Injections (Advanced)
mediumCWE-93A03:2021

Email Header Injection

Unsanitized user input used in email To, From, CC, or Subject fields, allowing attackers to inject additional recipients and turn your email server into a spam relay.

How It Works

Email headers use the same CRLF delimiter format as HTTP. If an attacker sets their name to `victim@evil.com\r\nBCC: spam1@target.com,spam2@target.com`, your email library will parse that as multiple headers and send the email to thousands of extra recipients — all from your domain and IP.

Vulnerable Code
// BAD: user-provided email directly in headers
const name = req.body.name; // attacker injects CRLF + BCC header
await sendEmail({
  to: 'admin@example.com',
  replyTo: `${name} <${email}>`,
  subject: `New message from ${name}`
});
Secure Code
// GOOD: validate and strip CRLF from all email fields
const schema = z.object({
  name: z.string().max(100).regex(/^[\w\s'-]+$/),
  email: z.string().email(),
  message: z.string().max(2000),
});
const { name, email, message } = schema.parse(req.body);

Real-World Example

Contact forms on older PHP and Node.js apps were commonly exploited as spam relays. An attacker submits thousands of form submissions with injected BCC headers, causing your server IP to be blacklisted and your domain's reputation to tank.

How to Prevent It

  • Validate email addresses with a strict regex or Zod's z.string().email()
  • Strip \r and \n from all fields used in email headers (To, From, CC, BCC, Subject)
  • Use a transactional email API (Resend, SendGrid, Postmark) that handles header encoding
  • Implement rate limiting on contact and email-sending endpoints

Affected Technologies

nodejsPythonPHP

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

LDAP Injection

high

User input inserted into LDAP search filters without escaping, allowing attackers to manipulate directory queries, bypass authentication, or extract sensitive directory data.

CWE-90A03:2021

XXE — XML External Entity Injection

high

XML parsers configured to process external entity references, allowing attackers to read arbitrary files from the server or trigger SSRF by crafting a malicious XML payload.

CWE-611A05:2021

HTTP Header Injection (CRLF Injection)

medium

User-controlled input included in HTTP response headers without sanitization, allowing attackers to inject arbitrary headers or split the response into two separate HTTP responses.

CWE-113A03:2021

Log Injection

low

User-supplied input written to logs without sanitization, allowing attackers to forge log entries, hide their tracks, or inject malicious content into log files.

CWE-117A09:2021