Mailpit Server-Side Request Forgery Vulnerability in HTML Check Feature

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Mailpit versions prior to 1.28.3. The issue arises in the HTML Check feature of the API, which analyzes HTML emails for compatibility. During this process, the 'inlineRemoteCSS()' function automatically downloads CSS files from external '<link rel="stylesheet" href="...">' tags to inline them for testing. The vulnerability allows attackers to send requests to internal services or cloud metadata endpoints, potentially leading to unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability allows for Server-Side Request Forgery, where an attacker can make the server send requests to internal or external resources on their behalf. This could be used to access restricted data or services, such as cloud metadata containing sensitive information like IAM credentials.

Reproduction

To reproduce this vulnerability, send an HTML email containing a link to a CSS file hosted on a server that can respond to the request. Include a link to a cloud metadata endpoint or an internal service in the same email. After the email is received, use the Mailpit API to trigger the HTML check feature. The server will download the CSS from the provided links, including the metadata or internal service links, demonstrating the SSRF vulnerability.

Remediation

Users are advised to upgrade to Mailpit version 1.28.3 or later, where this vulnerability has been fixed.