From 9370ea77a40d03a55f864433decf3c34c29bf4f8 Mon Sep 17 00:00:00 2001 From: Henri Cook Date: Wed, 11 Feb 2026 15:43:38 +0000 Subject: [PATCH] [EMAIL] Fix CVE-2025-7962: SMTP injection via Jakarta Mail Migrate commons-email2-jakarta from com.sun.mail:jakarta.mail:2.0.2 to org.eclipse.angus:jakarta.mail:2.0.5 - the patched successor of the EOL com.sun.mail implementation. Bump commons-email2-javax from com.sun.mail:jakarta.mail:1.6.7 to 1.6.8. Both prior versions are vulnerable to CVE-2025-7962, an SMTP injection flaw allowing attackers to inject arbitrary SMTP commands via \r\n characters in UTF-8 encoded input. --- commons-email2-jakarta/pom.xml | 10 +++++----- commons-email2-javax/pom.xml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/commons-email2-jakarta/pom.xml b/commons-email2-jakarta/pom.xml index 9e0782126..ceb56a594 100644 --- a/commons-email2-jakarta/pom.xml +++ b/commons-email2-jakarta/pom.xml @@ -36,10 +36,10 @@ commons-email2-core 2.0.0-M2-SNAPSHOT - - com.sun.mail - jakarta.mail - 2.0.2 + + org.eclipse.angus + jakarta.mail + 2.0.5 com.github.davidmoten @@ -48,7 +48,7 @@ test - com.sun.mail + org.eclipse.angus jakarta.mail diff --git a/commons-email2-javax/pom.xml b/commons-email2-javax/pom.xml index 18269bba0..a2f27821f 100644 --- a/commons-email2-javax/pom.xml +++ b/commons-email2-javax/pom.xml @@ -39,7 +39,7 @@ com.sun.mail jakarta.mail - 1.6.7 + 1.6.8 org.subethamail