FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mailpit -- multiple vulnerabilities

Affected packages
mailpit < 1.30.4

Details

VuXML ID 7a56b0f7-7b62-11f1-8a70-10ffe07f9334
Discovery 2026-07-09
Entry 2026-07-09

Mailpit author reports:

Mailpit's SMTP server reads each command line with an unbounded bufio.Reader.ReadString('\n') before parsing the command or enforcing any protocol length limit. A remote SMTP client can send an oversized single command line and force Mailpit to allocate attacker-controlled memory before the server returns a syntax error or times out, even though RFC 5321 limits SMTP command lines to 512 octets including CRLF.

Mailpit's thumbnail endpoint decodes attacker-supplied image attachments into a full raster before checking any decoded-pixel, dimension, or memory budget. A remote client that can store an email and reach the default web API can supply a compact high-dimension image, then request /api/v1/message/{id}/part/{partID}/thumb to force server-side memory and CPU work far larger than the encoded attachment size before Mailpit returns a 180x120 thumbnail.

References

URL https://github.com/axllent/mailpit/security/advisories/GHSA-75mr-qw9x-3r39
URL https://github.com/axllent/mailpit/security/advisories/GHSA-w878-pj84-3j5v