[{"data":1,"prerenderedAt":152},["ShallowReactive",2],{"blog-vulnerabilities/email-header-injection":3},{"id":4,"title":5,"body":6,"category":132,"date":133,"dateModified":133,"description":134,"draft":135,"extension":136,"faq":137,"featured":135,"headerVariant":138,"image":137,"keywords":137,"meta":139,"navigation":140,"ogDescription":141,"ogTitle":137,"path":142,"readTime":143,"schemaOrg":144,"schemaType":145,"seo":146,"sitemap":147,"stem":148,"tags":149,"twitterCard":150,"__hash__":151},"blog/blog/vulnerabilities/email-header-injection.md","Email Header Injection Explained",{"type":7,"value":8,"toc":123},"minimark",[9,16,21,24,39,44,63,67,76,92,111],[10,11,12],"tldr",{},[13,14,15],"p",{},"Email header injection happens when user input is included in email headers without sanitization. Attackers inject newlines to add additional headers like CC, BCC, or even modify the email body. This turns your contact form into a spam relay. Strip or reject newlines from all email-related inputs.",[17,18,20],"h2",{"id":19},"how-email-header-injection-works","How Email Header Injection Works",[13,22,23],{},"Email headers are separated by newlines (CRLF). If attackers can inject newlines into any header field, they can add arbitrary headers.",[25,26,28],"code-block",{"label":27},"Vulnerable contact form",[29,30,35],"pre",{"className":31,"code":33,"language":34},[32],"language-text","// User submits contact form with name field:\n// \"John\\r\\nBcc: spam-list@evil.com\\r\\n\\r\\nSpam content\"\n\napp.post('/contact', (req, res) => {\n  const { name, email, message } = req.body;\n\n  // VULNERABLE: name goes directly into headers\n  sendMail({\n    from: `${name} `,\n    to: 'support@yoursite.com',\n    subject: 'Contact Form',\n    text: message\n  });\n});\n\n// Resulting email has injected BCC header:\n// From: John\n// Bcc: spam-list@evil.com\n// (blank line = end of headers, start of body)\n// Spam content\n","text",[36,37,33],"code",{"__ignoreMap":38},"",[40,41,43],"h3",{"id":42},"what-attackers-can-do","What Attackers Can Do",[45,46,47,51,54,57,60],"ul",{},[48,49,50],"li",{},"Add BCC to send spam through your server",[48,52,53],{},"Modify the From address for phishing",[48,55,56],{},"Change the Subject line",[48,58,59],{},"Replace the entire email body",[48,61,62],{},"Turn your server into a spam relay (getting you blacklisted)",[17,64,66],{"id":65},"how-to-prevent-it","How to Prevent It",[25,68,70],{"label":69},"Safe email handling",[29,71,74],{"className":72,"code":73,"language":34},[32],"function sanitizeEmailInput(input) {\n  // Remove all CR, LF, and null bytes\n  return input.replace(/[\\r\\n\\0]/g, '');\n}\n\n// Or validate and reject\nfunction validateEmailInput(input) {\n  if (/[\\r\\n]/.test(input)) {\n    throw new Error('Invalid characters in input');\n  }\n  return input;\n}\n\napp.post('/contact', (req, res) => {\n  const name = sanitizeEmailInput(req.body.name);\n  const email = validateEmailInput(req.body.email);\n\n  // Now safe to use in email\n});\n",[36,75,73],{"__ignoreMap":38},[77,78,79,86],"faq-section",{},[80,81,83],"faq-item",{"question":82},"Does my email library prevent this?",[13,84,85],{},"Some modern libraries sanitize headers automatically, but many do not. Check your library's documentation and test with payloads containing newlines to be sure.",[80,87,89],{"question":88},"What about the message body?",[13,90,91],{},"The body is generally safe from header injection (since it comes after headers), but you should still sanitize for XSS if the email is HTML.",[93,94,95,101,106],"related-articles",{},[96,97],"related-card",{"description":98,"href":99,"title":100},"HTML email injection","/blog/vulnerabilities/xss","XSS",[96,102],{"description":103,"href":104,"title":105},"Similar injection pattern","/blog/vulnerabilities/command-injection","Command Injection",[96,107],{"description":108,"href":109,"title":110},"Validation techniques","/blog/how-to/validate-user-input","Input Validation",[112,113,116,120],"cta-box",{"href":114,"label":115},"/","Start Free Scan",[17,117,119],{"id":118},"check-your-email-forms","Check Your Email Forms",[13,121,122],{},"Our scanner tests contact forms for header injection vulnerabilities.",{"title":38,"searchDepth":124,"depth":124,"links":125},2,[126,130,131],{"id":19,"depth":124,"text":20,"children":127},[128],{"id":42,"depth":129,"text":43},3,{"id":65,"depth":124,"text":66},{"id":118,"depth":124,"text":119},"vulnerabilities","2026-01-14","Email header injection lets attackers add CC/BCC recipients or modify email content through form inputs. Learn how to sanitize email inputs properly.",false,"md",null,"red",{"noindex":140},true,"Learn how email header injection works and how to prevent it.","/blog/vulnerabilities/email-header-injection","5 min read","[object Object]","TechArticle",{"title":5,"description":134},{"loc":142},"blog/vulnerabilities/email-header-injection",[],"summary_large_image","BLfZLXBgIDy8F5lPLkD2lI2E5SiRSkJV8aEPPfw9ftE",1775843926943]