OFFSITE.DARK
← Signals

Jul 1, 2026

2 min

Exploitarium

  • curl
  • smtp
  • crlf-injection
  • exploitarium

news

curl SMTP EXPN Recipient CRLF Command Injection

CRLF in CURLOPT_MAIL_RCPT operand injects full MAIL/RCPT/DATA transaction after authenticated EXPN — stock curl completes injected message.

Summary

Stock curl serializes the SMTP custom-recipient operand without rejecting embedded CR/LF bytes, so a CURLOPT_MAIL_RCPT value passed to an EXPN request can inject a full MAIL FROM / RCPT TO / DATA transaction under the same authenticated session. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetStock curl with SMTP support (lib/smtp.c custom recipient branch)
PrimitiveUnvalidated smtp->rcpt->data written into %s %s%s SMTP line via Curl_pp_sendf
ImpactAuthenticated SMTP session can send attacker-controlled messages to arbitrary recipients on the same server.

Attack Chain

curl -K config (EXPN + mail-rcpt with CRLF) → AUTH PLAIN → EXPN Friends → injected MAIL/RCPT/DATA → marker body accepted

Mitigation

Reject CR and LF in custom SMTP recipient operands before protocol serialization; audit automation that passes untrusted strings into CURLOPT_MAIL_RCPT.

Related Signals

Sources

→ Source