<!-- There's help in the Eclipse Foundation Project Handbook https://www.eclipse.org/projects/handbook/#vulnerability-cve Note that this issue is configured (see the quick actions at the bottom) to be created as confidential. Note that a vulnerability does not need to actually be resolved before it is reported and that these reports can be revised as needed (reopen the issue to request changes). If you do not know how to fill certain fields, mark that in the comment and we will help you. You can delete the comments (or not). --> The Eclipse Foundation is a [Common Vulnerabilities and Exposures](https://cve.mitre.org/) (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project. <!-- Required. Specify the project's name (e.g., "Eclipse Dash") and Eclipse Foundation ID, e.g., "technology.dash". --> ## Basic information **Project name:** Jakarta Mail **Project id:** ee4j.mail <!-- Required. Specify if you want a reservation only (in this case you may skip the fields below) or a publication (you need to fill all fields). Please note that you can do the reservation first, then ask us for publication when the project has made a release with the fix. --> **Request type:** publication <!-- Required (if publication). Specify the version range as precisely as possible, e.g., "[3.0, 3.5.1]" or "[3.0, 3.5.1)". Note that using the standard range notion, square brackets are inclusive (i.e., that version is included in the range), and round brakets are exclusive (the vulnerability affects all versions up to but not including the named version). Multiple ranges can be provided. --> **Versions affected:** 2.0.1 <!-- Required (if publication). The Common Weakness Enumeration (CWE) code comes from here: https://cwe.mitre.org/, e.g., "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')". Multiple codes can be provided. --> **Common Weakness Enumeration:** - {[CWE-147: Improper Neutralization of Input Terminators](https://cwe.mitre.org/data/definitions/147.html)} <!-- Optional. Provide a Common Vulnerability Scoring System (CVSS). Note that if you do not provide this, then some agencies (eg. NIST) will compute it on the project's behalf. Please be sure to include the CVSS version number, e.g., "3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H". There's help here: https://nvd.nist.gov/vuln-metrics/cvss --> **Common Vulnerability Scoring System:** {[CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N](https://nvd.nist.gov/vuln-metrics/cvss)} <!-- Required (if publication). The summary should start with the name of the project, e.g., "Eclipse Vert.x", then a description of the affected versions, followed by a description of the problem. The summary should be concise. For example, "In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response." --> **Summary:** In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages. <!-- Required (if publication). Include a link to the issue (e.g., GitHub Security Advisory) that's being used to track/resolve the issue. Other links that provide more information can be provided. For example, you may later publish the link to the fix commit. --> **Links:** - https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/290 ## Tracking **This section will completed by the project team**. - [ ] Reserve an entry only - [x] We're ready for this issue to be reported to the central authority (i.e., make this public now) - [ ] (when applicable) The GitHub Security Advisory is ready to be published now Note that for those projects that host their repositories on GitHub, the use of GitHub Security Advisories is recommended but is not required. **This section will be completed by the EMO**. **CVE:** {CVE-2025-7962} - [x] All required information is provided - [x] CVE Assigned - [x] Pushed to Mitre - [x] Accepted by Mitre <!-- Quick actions will configure the state of the issue. Leave these. -->