Mailpit Server-Side Request Forgery Vulnerability in Proxy Endpoint

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Mailpit, an email testing tool for developers. This vulnerability affects versions of Mailpit through 1.28.0 and resides in the '/proxy' endpoint. The issue allows attackers to send requests to internal network resources. While the endpoint validates 'http://' and 'https://' schemes, it fails to block internal IP addresses, enabling access to internal services and APIs. The vulnerability is limited to HTTP GET requests with minimal headers.

Impact

Exploitation of this vulnerability allows for internal network scanning, information disclosure through access to internal API data, database paths, and runtime statistics. Additionally, it enables reading of all captured emails via internal API endpoints. In cloud environments, such as AWS, GCP, or Azure, there could be potential access to instance metadata services.

Reproduction

To reproduce this vulnerability, send a GET request to the '/proxy' endpoint with a URL parameter pointing to an internal resource, such as 'http://127.0.0.1:8025/api/v1/info'. This request will return internal API data, including database paths and runtime statistics.

Remediation

Users can update to Mailpit version 1.28.1, which addresses this vulnerability by restricting the proxy to only support asset links contained in messages. Unsupported content types now result in a generic HTTP error.