CVE-2017-5223 Phpmailer Project CVE debrief

Who should care

Developers and operators of applications that use PHPMailer msgHTML() with user-generated or otherwise untrusted HTML, especially if the code does not explicitly set and constrain a base directory.

Technical summary

PHPMailer’s msgHTML() method transforms HTML into an email-ready body and can rewrite relative image URLs into attachments. According to the CVE description and NVD entry, if no base directory is provided, the method resolves the base to /, which causes relative image URLs to be treated as absolute local file paths. Remote exposure requires all of the following: the application calls msgHTML(), the HTML input is not filtered, the HTML is attacker-controlled, and no base directory is set. NVD lists the affected PHPMailer version range as up to and including 5.2.21.

Defensive priority

Medium — prioritize if your application accepts user-supplied HTML and uses PHPMailer msgHTML() without a locked-down base directory.

Recommended defensive actions

• Upgrade PHPMailer to 5.2.22 or later.
• Review every msgHTML() call site for untrusted or user-supplied HTML input.
• Always set a safe base directory when msgHTML() is used, and ensure it cannot resolve to sensitive local paths.
• Sanitize or otherwise constrain HTML before passing it to PHPMailer.
• Test templates and user content for relative image references that could be rewritten into attachments.
• Consult the PHPMailer SECURITY.md guidance referenced by NVD for project-specific mitigation details.

Evidence notes

This debrief is based on the CVE description and the NVD record, which identify PHPMailer before 5.2.22, the msgHTML() transformation behavior, and the condition that a missing base directory can cause relative image URLs to be treated as local file paths. NVD also links the PHPMailer SECURITY.md file as a patch reference. Third-party advisory and exploit references are present in NVD metadata, but this summary intentionally avoids exploit details.

Official resources