+ "details": "**Summary**\nThe Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.\n\nAn attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.\n\n**Vulnerable Code**\nThe vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.\n\nhttps://github.com/axllent/mailpit/blob/877a9159ceeaf380d5bb0e1d84017b24d2e7b361/server/websockets/client.go#L34-L39\n\n**Impact**\nThis vulnerability impacts the Confidentiality of the data stored in or processed by Mailpit.\nAlthough Mailpit is often used as a local development tool, this vulnerability allows remote exploitation via a web browser.\n\n- **Scenario**: A developer has Mailpit running at localhost:8025.\n- **Trigger**: The developer visits a malicious website (or a compromised legitimate site) in the same browser.\n- **Exploitation**: The malicious site's JavaScript initiates a WebSocket connection to ws://localhost:8025/api/events. Since the origin check is disabled, the browser allows this cross-origin connection.\n- **Data Leak**: The attacker receives all broadcasted events, including full email details (subjects, sender/receiver info) and server metrics.\n\n**Attack Impact**\n- Real-time notification of new emails\n- Email metadata (sender, subject, recipients)\n- Mailbox statistics\n- All WebSocket broadcast data\n\n**Recommended Fix**\nThe `CheckOrigin` function should be removed to allow gorilla/websocket to enforce its default safe behavior (checking that the Origin matches the Host). Alternatively, strict validation logic should be implemented.\n\n**Proposed Change (Remove unsafe check):**\n\n```go\nvar upgrader = websocket.Upgrader{\n ReadBufferSize: 1024,\n WriteBufferSize: 1024,\n // CheckOrigin: func(r *http.Request) bool { return true }, // REMOVED\n EnableCompression: true,\n}\n```\n\n**Proof of Concept (PoC)**: To reproduce this vulnerability:\n\n- Start Mailpit (default settings).\n- Save the following HTML code as poc.html and serve it from a different origin (e.g., using python http.server on port 8000 or opening it directly as a file).\n- Open the [poc_websocket_hijack.html](https://github.com/user-attachments/files/24522726/poc_websocket_hijack.html) file in your browser.\n- Send a test email to Mailpit or perform any action in the Mailpit UI.\n- Observe that the \"malicious\" page successfully receives the event data.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments