Plunk CRLF Header Injection Vulnerability in Email Header Interpolation
Vulnerability
A CRLF header injection vulnerability exists in Plunk versions prior to 0.8.0, specifically within the SESService.ts file. This vulnerability allows authenticated API users to inject arbitrary email headers by embedding carriage return/line feed characters into user-supplied fields such as 'from.name', 'subject', custom header keys/values, and attachment filenames. The injected headers could enable silent email forwarding, reply redirection, or sender spoofing. The issue arises because user input is directly interpolated into raw MIME messages without proper sanitization.
Impact
Exploitation of this vulnerability allows for CRLF injection in email headers, enabling unauthorized manipulation of email delivery and presentation, such as spoofing the sender or redirecting replies.
Remediation
Users can upgrade to Plunk version 0.8.0 or later, where this vulnerability has been addressed by adding input validation to reject carriage return and line feed characters in the affected fields.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.