Mailpit - Cross-Site WebSocket Hijacking (CSWSH)
Overview #
A Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in Mailpit. The vulnerability allows remote attackers to intercept sensitive data such as email contents, headers, and server statistics in real-time.
Vulnerability Details #
Affected Versions: <=1.28.1
Root Cause: The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation allows attackers to hijack WebSocket connections.
Vulnerable Code:
The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.
var upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
CheckOrigin: func(r *http.Request) bool {
return true
},
EnableCompression: true,
}Exploitation Requirements #
- No authentication required.
- Victim must visit a malicious website while running Mailpit locally.
Impact #
Remote attackers can exploit this vulnerability to:
- Intercept sensitive email data (subjects, bodies, recipients).
- Access server statistics.
- Receive real-time notifications of new emails.
Proof of Concept #
An attacker can host a malicious website that establishes a WebSocket connection to the victim's Mailpit instance (e.g., ws://localhost:8025/api/events). Since the origin check is disabled, the browser allows this cross-origin connection, leaking all broadcasted events to the attacker.
Solution #
Upgrade to the latest version of Mailpit (1.21.1 or later) which implements proper Origin validation or removes the unsafe check to allow the library's default protection.