What is header injection?

Header injection occurs when user input is not properly sanitized and an attacker inserts raw header control sequences into that input. The exploit works by adding a carriage return and line feed sequence `\r

` which the mail server mistakenly treats as a new header line.

For example, a malicious value posted into a contact form Subject field might be: `Help\r

BCC: 1000-spam-victims@example.com`. If the server’s mail code blindly inserts that Subject into the outgoing headers, the server will interpret the injected `BCC` line as a real header and send the message to the attacker’s list using the site’s trusted sending IP.

It is effectively a hijack—someone sneaking extra cargo into your ship mid-journey. The defenses are straightforward: always validate and sanitize input, remove or encode CR and LF characters, and use safe, library based header builders rather than concatenating strings yourself.