Email addresses are a common data type which can be highly inconsistent, with various parsers behaving differently depending on its implementation. In some cases, parsers may accept an RFC-compliant email address that can lead to high impact vulnerabilities in applications, because the developers assumed that the parser will parse an email address according to their expectations. This concept is not just restricted to web applications, but also other types of services that rely on parsing email addresses to establish identities.

In this presentation, I will talk about my experience when researching on Jakarta Mail (previously known as JavaMail javax.mail) for email parsing issues and it will be presented in a journey-style manner. This research was inspired by one of our recent engagements, where a client utilised a library that has JavaMail as one of its dependencies. While researching about Mail vulnerabilities, I recalled how Gareth Heyes from PortSwigger published about the use of encoded strings in email addresses and how email parsers may decode and accept them. After reading such an inspiring write-up, I attempted to extend the research Gareth did, against Jakarta Mail this time, and was surprised to find other interesting behaviours that were exhibited.

One of the main highlights in this sharing will be on InternetAddress.java, a default class shipped with Jakarta Mail that is used to parse and represent email addresses. It has some inconsistencies that can potentially lead to situations where developers assume that emails are always validated when in fact they are not. As InternetAddress is not typically used directly, I have also looked into how other libraries utilised it, namely Angus Mail and Spring Framework. In addition to the InternetAddress class, I will also be going through my observations from other classes such as MimeMessage (from Jakarta Mail), as well as InternetAddressEditor, MimeMessageHelper, MimeMailMessage and SimpleMailMessage (from Spring Framework).

Throughout this research, I have noted down various interesting primitives which I will be sharing, hoping that it will be useful for other researchers if they ever encounter them in the wild.