Headline
GHSA-8v65-47jx-7mfr: Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit’s /proxy endpoint that allows attackers to make requests to internal network resources.
Description
The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
Proof of Concept
Basic SSRF Request
GET /proxy?url=http://127.0.0.1:8025/api/v1/info
This returns internal API data including database path and runtime statistics.
Impact Assessment
1. Internal Network Scanning
Attacker can probe and discover internal services on the network.
2. Information Disclosure
Access to internal API data, database paths, and runtime statistics.
3. Email Content Access
Ability to read all captured emails via internal API endpoints.
4. Cloud Metadata Access
If deployed in cloud environments (AWS/GCP/Azure), potential access to instance metadata services (e.g., http://169.254.169.254/).
Attack Scenarios
Scenario 1: Development Environment Exposure
If Mailpit is accidentally exposed to the internet, attackers can leverage SSRF to access internal development resources and services.
Scenario 2: Container Escape Information
In containerized deployments, SSRF can reveal container metadata and internal service configurations.
Scenario 3: Lateral Movement
In corporate networks, SSRF can be used to discover and interact with internal services, facilitating lateral movement.
Mitigating Factors
This vulnerability is limited to HTTP GET requests with minimal headers. Additionally, Mailpit’s web UI & API should be protected by basic authentication when exposed to the internet, which prevents access to the proxy endpoint.
Resources
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit’s /proxy endpoint that allows attackers to make requests to internal network resources.
Description
The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.
Proof of Concept****Basic SSRF Request
GET /proxy?url=http://127.0.0.1:8025/api/v1/info
This returns internal API data including database path and runtime statistics.
Impact Assessment****1. Internal Network Scanning
Attacker can probe and discover internal services on the network.
2. Information Disclosure
Access to internal API data, database paths, and runtime statistics.
3. Email Content Access
Ability to read all captured emails via internal API endpoints.
4. Cloud Metadata Access
If deployed in cloud environments (AWS/GCP/Azure), potential access to instance metadata services (e.g., http://169.254.169.254/).
Attack Scenarios****Scenario 1: Development Environment Exposure
If Mailpit is accidentally exposed to the internet, attackers can leverage SSRF to access internal development resources and services.
Scenario 2: Container Escape Information
In containerized deployments, SSRF can reveal container metadata and internal service configurations.
Scenario 3: Lateral Movement
In corporate networks, SSRF can be used to discover and interact with internal services, facilitating lateral movement.
Mitigating Factors
This vulnerability is limited to HTTP GET requests with minimal headers. Additionally, Mailpit’s web UI & API should be protected by basic authentication when exposed to the internet, which prevents access to the proxy endpoint.
Resources
- MDN Web Security - SSRF Attacks
- CWE-918: Server-Side Request Forgery
- OWASP SSRF Prevention Cheat Sheet
References
- GHSA-8v65-47jx-7mfr
- axllent/mailpit@3b9b470