CVE-2025-7962

NameCVE-2025-7962
DescriptionIn Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing theĀ \r and \n UTF-8 characters to separate different messages.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1109804, 1109824

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jakarta-mail (PTS)forky, sid, bookworm, bullseye, trixie2.0.0-2vulnerable
javamail (PTS)bullseye1.6.5-1vulnerable
bookworm1.6.5-2vulnerable
forky, sid, trixie1.6.5-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jakarta-mailsource(unstable)(unfixed)1109804
javamailsource(unstable)(unfixed)1109824

Notes

[trixie] - jakarta-mail <no-dsa> (Minor issue)
[bookworm] - jakarta-mail <no-dsa> (Minor issue)
[bullseye] - jakarta-mail <postponed> (Minor issue)
[trixie] - javamail <no-dsa> (Minor issue)
[bookworm] - javamail <no-dsa> (Minor issue)
[bullseye] - javamail <postponed> (Minor issue)
https://gitlab.eclipse.org/security/cve-assignement/-/issues/67
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/290
https://github.com/jakartaee/mail-api/commit/cc9b954f3816f18f1b96dd50b1f8f51b3116462d (1.6.8)
Search for package or bug name: Reporting problems