Mail Command Injection


Mail command injection vulnerabilities occur when an application implements its own email client code and concatenates user data with email commands. There should be no reason to implement email client code in applications that are not email clients.

Most development platforms provide libraries that provide email functionality, and using these libraries will prevent mail command injection vulnerabilities. If an application implements its own email functionality in a dangerous manner, rather than using trusted third-party APIs, an attacker will be able to manipulate email sent by the application and will be able to send their own email.

All applications that implement their own custom email client code instead of using trusted third-party APIs are affected by mail command injection vulnerabilities.


The impact of mail command injection vulnerabilities is that an attacker will be able to change the email that is being sent by the application to say whatever the attacker wants it to say and/or to send it to additional recipients. The most likely result is that the attacker will be able to use the vulnerable application to send spam. The attacker might also send messages to the application's users that appear to come from the application, and abuse the users' trust to trick them into doing something dangerous, like visiting a malicious site or disclosing their passwords.


To prevent mail command injection vulnerabilities, validate all input and use trusted third-party APIs for email functionality.

Application Check

To verify that mail command injection vulnerabilities are prevented, make sure that all data is validated and trusted third-party APIs are used for email functionality.

!Have a comment about this article? Send our team an email.