# Email Header Injection

- ID: javascript-email-header-injection
- Severity: HIGH
- CWE: CWE-93 (CWE-93)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify, koa, nextjs

## Description

Detects email header injection vulnerabilities where user input flows into
email headers (To, From, Subject, Cc, Bcc) without validation. Attackers can
inject CRLF sequences (\r\n) to add arbitrary headers or body content.

Attack impact:
- Send spam/phishing emails via your server
- Add hidden recipients (Cc/Bcc injection)
- Modify email content
- Bypass spam filters using your domain reputation

Common vulnerable patterns:
- nodemailer with user-controlled options
- SendGrid/Mailgun APIs with user input
- Custom SMTP implementations

## Detection Message

User input from {source} flows to email sending at {sink} without sanitization.
Attackers can inject CRLF (\r\n) to add headers or modify email content.

## Remediation

Validate email addresses and remove CRLF from header values:

```javascript
const validator = require('validator');

function sanitizeHeader(value) {
  return value.replace(/[\r\n]/g, '');
}

if (!validator.isEmail(email)) {
  return res.status(400).json({ error: 'Invalid email' });
}

const safeSubject = sanitizeHeader(subject).slice(0, 200);
await transporter.sendMail({
  to: 'admin@example.com',
  subject: `Contact: ${safeSubject}`,
  text: message
});
```

Learn more: https://shoulder.dev/learn/javascript/cwe-93/email-header-injection

## Documentation

[object Object]

## Related Rules

- **Email Header Injection** [HIGH]: 
- **Email Header Injection** [HIGH]: