Mailpit Cross-Site WebSocket Hijacking Vulnerability

A Cross-Site WebSocket Hijacking (CSWSH) vulnerability has been identified in Mailpit versions prior to 1.28.2. The issue arises because the WebSocket server accepts connections from any origin, lacking proper validation of the Origin header. This vulnerability allows an attacker to intercept sensitive data in real-time, such as email contents, headers, and server statistics. Exploitation occurs when a developer running Mailpit locally visits a malicious website, which then establishes a WebSocket connection to the Mailpit instance on localhost.

Impact

Exploitation of this vulnerability allows for unauthorized access to WebSocket data, including intercepted email details and server metrics, in real-time.

Reproduction

To reproduce this vulnerability, run Mailpit version 1.28.1 or earlier on the default WebSocket port. Then, visit a malicious website or a compromised legitimate site using the same browser. The website's JavaScript can initiate a WebSocket connection to the Mailpit instance, bypassing the disabled origin check. Once connected, all WebSocket broadcast data, including email details and server statistics, will be sent to the malicious site.

Remediation

Users can update to Mailpit version 1.28.2 or later, where this vulnerability has been patched.