Mailpit's SMTP server reads each command line with an
unbounded bufio.Reader.ReadString('\n') before parsing
the command or enforcing any protocol length limit. A
remote SMTP client can send an oversized single command
line and force Mailpit to allocate attacker-controlled
memory before the server returns a syntax error or times
out, even though RFC 5321 limits SMTP command lines to
512 octets including CRLF.
Mailpit's thumbnail endpoint decodes attacker-supplied
image attachments into a full raster before checking any
decoded-pixel, dimension, or memory budget. A remote
client that can store an email and reach the default web
API can supply a compact high-dimension image, then request
/api/v1/message/{id}/part/{partID}/thumb to
force server-side memory and CPU work far larger than the
encoded attachment size before Mailpit returns a 180x120
thumbnail.