Overview
This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.
Vulnerability Details
- CVE ID: CVE-2025-7962
- Dependency Name: com.sun.mail:jakarta.mail
- Affected Version of Dependency: < 1.6.7
- Severity Score: 6.0 Medium
(CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N)
Affected Versions of DPGW
- < 1.13.18-REL
- < 1.12.42-REL
- < 1.11.46-REL
Risk Assessment & Applicability
Usage
DPGW utilizes jakarta-mail as transitive dependency from org.apache:commons-email for sending emails.
Analysis
Vunerability is about SMTP injection and using \r\n in email header.
Status
Affected
Severity Score in the context of DPGW: 5.8 Medium CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:H/VA:N/SC:N/SI:L/SA:N
Impact on DPGW
By utilizing this flaw, an attacker can:
– Spamming: Add unauthorized Bcc or Cc recipients to hide their activity.
– Phishing: Overwrite the email body to send a completely different message than the application intended.
– Header Spoofing: Change the From address to make the email appear to come from a trusted source.
Unauthorized user in DPGW has no option of setting email subject or any other email header. Also UI does not allow to enter special characters. Vulnerability might be utilized by authorized user who forge HTTP API calls using tool like curl
As there is no new version of commons-email, automatic input sanitization for email headers was added.
Remediation & Mitigations
Scheduled fix
Update to:
– 1.13.19-REL (released on 2026-04-29) or newer
– 1.12.43-REL (released on 2026-04-24) or newer
User Actions
No user action required