It was found that versions of rubygem-mail prior to 2.6.0 are vulnerable to SMTP injection via recipient email addresses. Mail module does not validate nor sanitize given recipient addresses and does not impose a length limit on email addresses. An attacker can send long spam message via recipient address unless there is a limit on the application's side. This vulnerability affects only the applications that lack input validation. Upstream patch: https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83 CVE request: http://www.openwall.com/lists/oss-security/2015/12/11/3 Note that, this patch might not be complete, since according to the author, the fault can also be on Net::SMTP's side.