CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Email Header Injection

Security CWE-93 OWASP A3:2021 CVSS 6.5 PHP 5.0+ Intermediate
debt(d5/e3/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list semgrep and psalm — both specialist/SAST tools — as the means of catching unsanitised user input flowing into mail() headers. A default linter won't flag this; it requires a dedicated static analysis rule targeting the specific mail() call pattern with tainted input.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is to swap PHP's mail() for a library like Symfony Mailer or PHPMailer. This is more than a one-line patch (it requires replacing mail() calls and adjusting how headers/recipients are passed), but it's a contained substitution within one component rather than a cross-cutting refactor.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The vulnerability applies to web and CLI contexts wherever mail() is used, but it is scoped to the mail-sending component(s) of the codebase. Once the fix is in place (library swap), the rest of the codebase is largely unaffected. It does not impose an ongoing structural tax on unrelated work streams.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field reveals the trap: developers believe email injection only enables spam, but it also enables domain spoofing, BCC abuse, and bypassing SPF/DKIM since mail originates from the legitimate server. Additionally, Subject being injectable contradicts the intuition that only To/From/CC fields are dangerous — this contradicts how similar injection concepts are understood elsewhere, warranting t7.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-07 · reviewed by human

Also Known As

mail header injection SMTP injection

TL;DR

Injecting extra headers or recipients into mail() calls via unvalidated user input, enabling spam relay and phishing.

Explanation

PHP's mail() function constructs raw SMTP headers. If user-supplied data (a name or subject) contains \r\n, an attacker can inject additional headers — Bcc:, Cc:, or a new message body — turning the server into a spam relay. Always strip newlines from any value passed to mail() headers. Better still, use a dedicated library such as Symfony Mailer or PHPMailer which sanitise headers automatically, and validate email addresses with filter_var($addr, FILTER_VALIDATE_EMAIL).

Common Misconception

Email injection only lets attackers send spam. A successful injection can change the From address to spoof your domain, add BCC recipients, and bypass SPF/DKIM checks since the mail originates from your own server.

Why It Matters

A compromised mail() call lets an attacker inject CC/BCC headers and turn your server into a spam relay, blacklisting your IP and domain.

Common Mistakes

  • Passing user-supplied email addresses directly to the headers parameter of PHP's mail() function.
  • Not stripping newline characters from email addresses or subject lines before using them in headers.
  • Building header strings manually via concatenation instead of using a library like PHPMailer or Symfony Mailer.
  • Forgetting that Subject is also injectable — newlines in the subject can inject additional headers.

Code Examples

✗ Vulnerable 
mail($to, $_POST['subject'], $body); // subject may contain \r\nBcc: attacker@evil.com
✓ Fixed 
$subject = str_replace(["\r", "\n"], '', $_POST['subject']);
mail($to, $subject, $body);
Added 15 Mar 2026
Edited 4 Jun 2026
Views 39

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 1 ping T 0 pings F 1 ping S 0 pings S 1 ping M 1 ping T 1 ping W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W
Agents 0
No pings yet today
PetalBot 1
Amazonbot 7 Scrapy 5 Ahrefs 4 Perplexity 3 ChatGPT 3 Majestic 1 Unknown AI 1 Google 1 Claude 1 Meta AI 1 Sogou 1 SEMrush 1 PetalBot 1
Also referenced
CRLF Injection 134 Input Validation vs Output Encoding 118 Header Injection 32
How they use it
crawler 27 crawler_json 3
Related categories
security 7.9k general 3k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Use a mature PHP mailer library (Symfony Mailer, PHPMailer, SwiftMailer) instead of PHP's mail() function — they sanitise headers automatically
📦 Applies To
PHP 5.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
PHP mail() with user-supplied To/From/Subject/CC headers without sanitisation; newlines in email header values
Auto-detectable: ✓ Yes semgrep psalm
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-93 CWE-20
✓ schema.org compliant