GHSA-524m-q5m7-79mm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-524m-q5m7-79mm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-524m-q5m7-79mm/GHSA-524m-q5m7-79mm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-524m-q5m7-79mm
- Aliases
- Published
- 2026-01-13T15:11:42Z
- Modified
- 2026-02-03T03:01:29.999168Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails
- Details
-
Summary The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.
An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
Vulnerable Code The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.
https://github.com/axllent/mailpit/blob/877a9159ceeaf380d5bb0e1d84017b24d2e7b361/server/websockets/client.go#L34-L39
Impact This vulnerability impacts the Confidentiality of the data stored in or processed by Mailpit. Although Mailpit is often used as a local development tool, this vulnerability allows remote exploitation via a web browser.
- Scenario: A developer has Mailpit running at localhost:8025.
- Trigger: The developer visits a malicious website (or a compromised legitimate site) in the same browser.
- Exploitation: The malicious site's JavaScript initiates a WebSocket connection to ws://localhost:8025/api/events. Since the origin check is disabled, the browser allows this cross-origin connection.
- Data Leak: The attacker receives all broadcasted events, including full email details (subjects, sender/receiver info) and server metrics.
Attack Impact - Real-time notification of new emails - Email metadata (sender, subject, recipients) - Mailbox statistics - All WebSocket broadcast data
Recommended Fix The
CheckOriginfunction should be removed to allow gorilla/websocket to enforce its default safe behavior (checking that the Origin matches the Host). Alternatively, strict validation logic should be implemented.Proposed Change (Remove unsafe check):
var upgrader = websocket.Upgrader{ ReadBufferSize: 1024, WriteBufferSize: 1024, // CheckOrigin: func(r *http.Request) bool { return true }, // REMOVED EnableCompression: true, }Proof of Concept (PoC): To reproduce this vulnerability:
- Start Mailpit (default settings).
- Save the following HTML code as poc.html and serve it from a different origin (e.g., using python http.server on port 8000 or opening it directly as a file).
- Open the pocwebsockethijack.html file in your browser.
- Send a test email to Mailpit or perform any action in the Mailpit UI.
- Observe that the "malicious" page successfully receives the event data.
- Database specific
{ "cwe_ids": [ "CWE-1385" ], "github_reviewed_at": "2026-01-13T15:11:42Z", "nvd_published_at": "2026-01-10T06:15:51Z", "severity": "MODERATE", "github_reviewed": true }- References
Affected packages
Go / github.com/axllent/mailpit
Package
- Name
- github.com/axllent/mailpit
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/axllent/mailpit
Go / github.com/axllent/mailpit
Package
- Name
- github.com/axllent/mailpit
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/axllent/mailpit