ZeptoClaw: Email Sender Spoofing to bypass Header-Only From Allowlist Validation

Description

Summary

The email channel authorizes senders based on the parsed From header identity only. If upstream email authentication/enforcement is weak (for example, relaxed SPF/DKIM/DMARC handling), an attacker can spoof an allowlisted sender address and have the message treated as trusted input.

Details

Relevant code paths:

  • src/channels/email_channel.rs:311 extracts sender identity from parsed message headers:
  • let from = parsed.from() ... a.address() ...
  • src/channels/email_channel.rs:328 authorizes using that from value:
  • if !self.is_sender_allowed(&from) { ... }
  • src/channels/email_channel.rs:87 onward (is_sender_allowed) performs allowlist/domain matching against the same header-derived value.
  • There is no in-channel validation of sender authenticity indicators such as SPF/DKIM/DMARC results before allowlist trust decisions.

Result:
- Trust decision is based on a potentially spoofable header field unless mailbox/provider-side anti-spoofing controls are strong and enforced.

PoC

  1. Configure email channel with strict sender allowlist:
    - channels.email.enabled = true
    - channels.email.allowed_senders = ["[email protected]"]
    - channels.email.deny_by_default = true
  2. Ensure the monitored mailbox accepts or forwards a spoofed message (for testing, use a local SMTP path that does not enforce sender authentication strongly).
  3. Send an email to the monitored inbox with forged header identity:
python - <<'PY'
import smtplib
from email.message import EmailMessage

msg = EmailMessage()
msg["From"] = "[email protected]"   # forged trusted sender
msg["To"] = "[email protected]"
msg["Subject"] = "forged control message"
msg.set_content("FORGED EMAIL CONTENT")

# Example test SMTP endpoint
with smtplib.SMTP("127.0.0.1", 25) as s:
    s.send_message(msg)
PY
  1. Wait for IMAP fetch/IDLE processing.
  2. Observe the message is accepted as allowlisted sender [email protected] and published as inbound channel input.

Impact

  • Vulnerability type: sender identity spoofing risk due to header-based authorization.
  • Affected deployments: those using email channel allowlists where upstream anti-spoof controls are weak, misconfigured, or bypassed.
  • Security effect:
  • Spoofed From headers may bypass logical sender allowlist.
  • Malicious content can enter trusted automation/agent flows as if sent by authorized identities.
  • Risk is reduced in environments with strict SPF/DKIM/DMARC enforcement and strong inbound mail hygiene, but not eliminated at application layer.

Patch Recommendation

Add a sender-authentication gate in src/channels/email_channel.rs immediately after parsing from (src/channels/email_channel.rs:311) and before allowlist enforcement (src/channels/email_channel.rs:328). The gate should require trusted SPF/DKIM/DMARC evidence with domain alignment (for example, DMARC=pass, or aligned SPF/DKIM pass) before is_sender_allowed is evaluated. For backward compatibility, add a configurable mode in EmailConfig (for example, sender_verification_mode), but recommend hardened settings in production: dmarc_aligned, exact-address allowlists, and deny_by_default=true.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-12 16:38:22 UTC
Updated
2026-03-12 16:38:24 UTC
GitHub reviewed
2026-03-12 16:38:22 UTC

CVSS Scores

Base score Version Severity Vector
6.5 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

Type Value
GHSA GHSA-4cm8-xpfv-jv6f ↗

CWEs

CWE id Name
CWE-306 Missing Authentication for Critical Function
CWE-345 Insufficient Verification of Data Authenticity

Credits

  • zpbrent (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust zeptoclaw <= 0.7.5 0.7.6

References

cvelogic Threat Intelligence