SEC009warningPro

email-header-injection

User input in email headers may allow header injection

Applies to: JavaScript, Python, TypeScript

Why this matters

Email headers are delimited by newlines (CRLF). If user input containing newlines is included in headers, attackers can inject arbitrary headers like BCC to exfiltrate emails or From to spoof senders.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC009 includedstablestack explain SEC009

SEC009 is part of the Pro rule set. See pricing — the free tier ships 24 checks with no signup.

False positive in your codebase? Suppress a single line with # noqa: SEC009