Mailpit Proxy Endpoint has Server-Side Request Forgery (SSRF) vulnerability

Description

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in Mailpit's /proxy endpoint that allows attackers to make requests to internal network resources.

Description

The /proxy endpoint allows requests to internal network resources. While it validates http:// and https:// schemes, it does not block internal IP addresses, allowing attackers to access internal services and APIs.

Proof of Concept

Basic SSRF Request

GET /proxy?url=http://127.0.0.1:8025/api/v1/info

This returns internal API data including database path and runtime statistics.

Impact Assessment

1. Internal Network Scanning

Attacker can probe and discover internal services on the network.

2. Information Disclosure

Access to internal API data, database paths, and runtime statistics.

3. Email Content Access

Ability to read all captured emails via internal API endpoints.

4. Cloud Metadata Access

If deployed in cloud environments (AWS/GCP/Azure), potential access to instance metadata services (e.g., http://169.254.169.254/).

Attack Scenarios

Scenario 1: Development Environment Exposure

If Mailpit is accidentally exposed to the internet, attackers can leverage SSRF to access internal development resources and services.

Scenario 2: Container Escape Information

In containerized deployments, SSRF can reveal container metadata and internal service configurations.

Scenario 3: Lateral Movement

In corporate networks, SSRF can be used to discover and interact with internal services, facilitating lateral movement.

Mitigating Factors

This vulnerability is limited to HTTP GET requests with minimal headers. Additionally, Mailpit's web UI & API should be protected by basic authentication when exposed to the internet, which prevents access to the proxy endpoint.

References

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-01-06 17:44:29 UTC
Updated
2026-01-20 19:03:30 UTC
GitHub reviewed
2026-01-06 17:44:29 UTC
NVD published
2026-01-07

EPSS Score

Score Percentile
1.02% 76.98%

CVSS Scores

Base score Version Severity Vector
5.8 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-918 Server-Side Request Forgery (SSRF)

Credits

  • omarkurt (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/axllent/mailpit <= 1.28.0 1.28.1

References

cvelogic Threat Intelligence