CVE-2026-21859

MEDIUM5.8EPSS 0.53%

Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability

發布日:2026/1/6修改日:2026/2/3

也稱為:GHSA-8v65-47jx-7mfrGO-2026-4284

描述

## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's `/proxy` endpoint that allows attackers to make requests to internal network resources. ## Description The `/proxy` endpoint allows requests to internal network resources. While it validates `http://` and `https://` schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs. ## Proof of Concept ### Basic SSRF Request ``` GET /proxy?url=http://127.0.0.1:8025/api/v1/info ``` This returns internal API data including database path and runtime statistics. ## Impact Assessment ### 1. Internal Network Scanning Attacker can probe and discover internal services on the network. ### 2. Information Disclosure Access to internal API data, database paths, and runtime statistics. ### 3. Email Content Access Ability to read all captured emails via internal API endpoints. ### 4. Cloud Metadata Access If deployed in cloud environments (AWS/GCP/Azure), potential access to instance metadata services (e.g., `http://169.254.169.254/`). ## Attack Scenarios ### Scenario 1: Development Environment Exposure If Mailpit is accidentally exposed to the internet, attackers can leverage SSRF to access internal development resources and services. ### Scenario 2: Container Escape Information In containerized deployments, SSRF can reveal container metadata and internal service configurations. ### Scenario 3: Lateral Movement In corporate networks, SSRF can be used to discover and interact with internal services, facilitating lateral movement. ## Mitigating Factors This vulnerability is limited to HTTP GET requests with minimal headers. Additionally, Mailpit's web UI & API should be protected by basic authentication when exposed to the internet, which prevents access to the proxy endpoint. ## References - [MDN Web Security - SSRF Attacks](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) - [CWE-918: Server-Side Request Forgery](https://cwe.mitre.org/data/definitions/918.html) - [OWASP SSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)

受影響套件(2)

Go/github.com/axllent/mailpitfrom 0, < 1.28.1
Go/github.com/axllent/mailpitfrom 0, < 1.28.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

描述

受影響套件(2)

CVSS 分數

參考連結(5)