CVE-2025-7962: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Jakarta Mail 2.0.2 that allows SMTP Injection attacks through the manipulation of \r and \n UTF-8 characters to separate different messages. The vulnerability was assigned CVE-2025-7962 and was first published on July 21, 2025. The affected software includes Jakarta Mail version 2.0.2 and related packages in various Linux distributions including Debian and Ubuntu (NVD, Eclipse Issue).

The vulnerability is classified as CWE-147 (Improper Neutralization of Input Terminators) and has received a CVSS 4.0 Base Score of 6.0 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N. The technical nature of the vulnerability involves the improper handling of UTF-8 characters (\r and \n) which can be exploited to perform SMTP injection attacks (Eclipse Issue, NVD).

The vulnerability allows an attacker to perform SMTP injection attacks, potentially leading to unauthorized message separation and manipulation of email content. The CVSS scoring indicates high impact on integrity (VI:H) with some impact on system integrity (SI:L), while maintaining normal availability and confidentiality (Eclipse Issue).

As of the latest updates, no official fixes have been released for the affected systems. The vulnerability is currently under evaluation for Ubuntu 25.04 (plucky), 24.04 LTS (noble), and 22.04 LTS (jammy). Debian packages including jakarta-mail and javamail remain vulnerable across multiple releases (Ubuntu Security, Debian Tracker).