CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Email Header Injection

security CWE-93 OWASP A3:2021 CVSS 6.5 PHP 5.0+ Intermediate

Also Known As

mail header injection SMTP injection

TL;DR

Injecting extra headers or recipients into mail() calls via unvalidated user input, enabling spam relay and phishing.

Explanation

PHP's mail() function constructs raw SMTP headers. If user-supplied data (a name or subject) contains \r\n, an attacker can inject additional headers — Bcc:, Cc:, or a new message body — turning the server into a spam relay. Always strip newlines from any value passed to mail() headers. Better still, use a dedicated library such as Symfony Mailer or PHPMailer which sanitise headers automatically, and validate email addresses with filter_var($addr, FILTER_VALIDATE_EMAIL).

Common Misconception

Email injection only lets attackers send spam. A successful injection can change the From address to spoof your domain, add BCC recipients, and bypass SPF/DKIM checks since the mail originates from your own server.

Why It Matters

A compromised mail() call lets an attacker inject CC/BCC headers and turn your server into a spam relay, blacklisting your IP and domain.

Common Mistakes

  • Passing user-supplied email addresses directly to the headers parameter of PHP's mail() function.
  • Not stripping newline characters from email addresses or subject lines before using them in headers.
  • Building header strings manually via concatenation instead of using a library like PHPMailer or Symfony Mailer.
  • Forgetting that Subject is also injectable — newlines in the subject can inject additional headers.

Code Examples

✗ Vulnerable 
mail($to, $_POST['subject'], $body); // subject may contain \r\nBcc: attacker@evil.com
✓ Fixed 
$subject = str_replace(["\r", "\n"], '', $_POST['subject']);
mail($to, $subject, $body);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 18

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 3 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Perplexity 3 Ahrefs 2 Majestic 1 ChatGPT 1 Unknown AI 1 Google 1
Also referenced
CRLF Injection 92 Input Validation vs Output Encoding 32 Header Injection 15
How they use it
crawler 14 crawler_json 1
Related categories
security 4k general 1.4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Use a mature PHP mailer library (Symfony Mailer, PHPMailer, SwiftMailer) instead of PHP's mail() function — they sanitise headers automatically
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
PHP mail() with user-supplied To/From/Subject/CC headers without sanitisation; newlines in email header values
Auto-detectable: ✓ Yes semgrep psalm
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-93 CWE-20
✓ schema.org compliant