Hi, For what it's worth, I found a somewhat similar issue in PHP not so long ago.
PHP has two interfaces to pass additional mail headers, one just passing a multiline string (which unavoidably creates injection risks), and another one with an array. The latter can avoid newline injections, but it only did so for "\r\n", not for "\n". (Whether that'll be accepted depends I believe on the mail server, but most will *ceterum censeo Hanno moaning about the misguided robustness principle*...) I hadn't really seen this as a security vulnerability, more a hardening issue, so I reported it as a suggestion to PHP, and they improved their filtering. It was fixed/improved: https://github.com/php/php-src/issues/13402 -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/
