Severity : High CVSS 7.5 `KeyServer::search` appends the user-controlled email address directly to the `search=` query parameter without percent-encoding.【F:net/src/lib.rs†L168-L193】 Although `UserID::email()` validates that the string contains an `@`, it does not restrict other characters, so mailbox local parts like `mallory+tag&role=admin` are accepted.【F:net/src/email.rs†L32-L51】 When such a value is spliced into the HKP lookup URL, the embedded `&role=admin` is treated as a new query parameter by intermediaries and by the keyserver itself. Attackers can therefore smuggle arbitrary HKP flags, override the requested search mode, or inject diagnostic toggles into outbound requests. The following proof of concept (save at `sequoia/net/examples/HPK.rs` shows the crafted email causing the helper to emit a URL with an injected `role=admin` parameter: and can be executed in root project via cargo run \`cargo run --no-default-features --features "crypto-rust,allow-experimental-crypto,allow-variable-time-crypto" --example HKP\` ```rust use sequoia_net::KeyServer; use sequoia_openpgp::packet::UserID; fn main() -> anyhow::Result<()> { let ks = KeyServer::new("hkps://keys.example").unwrap(); let userid = UserID::from("Mallory <mallory+tag&role=admin@example.org>"); let email = userid.email().unwrap().unwrap(); let url = ks.url().join(&format!( "pks/lookup?op=get&options=mr&search={}", email, ))?; assert!(url.as_str().contains("role=admin")); println!("{}", url); Ok(()) } ``` The result would be demonstrating that the attacker-controlled suffix becomes a separate query argument. Percent-encoding the email before interpolation would keep the injected segment from altering the HKP request. {width="1437" height="539"} Last commint hash \`05e6707ad2c68fa52a30c3c9a21d54dc00089919\`