GHSA-8v65-47jx-7mfr

Suggest an improvement
Source
https://github.com/advisories/GHSA-8v65-47jx-7mfr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-8v65-47jx-7mfr/GHSA-8v65-47jx-7mfr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8v65-47jx-7mfr
Aliases
Published
2026-01-06T17:44:29Z
Modified
2026-01-20T19:17:51.960619Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability
Details

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.

Description

The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.

Proof of Concept

Basic SSRF Request

GET /proxy?url=http://127.0.0.1:8025/api/v1/info

This returns internal API data including database path and runtime statistics.

Impact Assessment

1. Internal Network Scanning

Attacker can probe and discover internal services on the network.

2. Information Disclosure

Access to internal API data, database paths, and runtime statistics.

3. Email Content Access

Ability to read all captured emails via internal API endpoints.

4. Cloud Metadata Access

If deployed in cloud environments (AWS/GCP/Azure), potential access to instance metadata services (e.g., http://169.254.169.254/).

Attack Scenarios

Scenario 1: Development Environment Exposure

If Mailpit is accidentally exposed to the internet, attackers can leverage SSRF to access internal development resources and services.

Scenario 2: Container Escape Information

In containerized deployments, SSRF can reveal container metadata and internal service configurations.

Scenario 3: Lateral Movement

In corporate networks, SSRF can be used to discover and interact with internal services, facilitating lateral movement.

Mitigating Factors

This vulnerability is limited to HTTP GET requests with minimal headers. Additionally, Mailpit's web UI & API should be protected by basic authentication when exposed to the internet, which prevents access to the proxy endpoint.

References

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2026-01-06T17:44:29Z",
    "nvd_published_at": "2026-01-08T00:16:00Z"
}
References

Affected packages

Go / github.com/axllent/mailpit

Package

Name
github.com/axllent/mailpit
View open source insights on deps.dev
Purl
pkg:golang/github.com/axllent/mailpit

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.28.1

Database specific

last_known_affected_version_range

"<= 1.28.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-8v65-47jx-7mfr/GHSA-8v65-47jx-7mfr.json"