Summary
The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.
An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
Vulnerable Code
The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.
|
var upgrader = websocket.Upgrader{ |
|
ReadBufferSize: 1024, |
|
WriteBufferSize: 1024, |
|
CheckOrigin: func(r *http.Request) bool { return true }, // allow multi-domain |
|
EnableCompression: true, // experimental compression |
|
} |
Impact
This vulnerability impacts the Confidentiality of the data stored in or processed by Mailpit.
Although Mailpit is often used as a local development tool, this vulnerability allows remote exploitation via a web browser.
- Scenario: A developer has Mailpit running at localhost:8025.
- Trigger: The developer visits a malicious website (or a compromised legitimate site) in the same browser.
- Exploitation: The malicious site's JavaScript initiates a WebSocket connection to ws://localhost:8025/api/events. Since the origin check is disabled, the browser allows this cross-origin connection.
- Data Leak: The attacker receives all broadcasted events, including full email details (subjects, sender/receiver info) and server metrics.
Attack Impact
- Real-time notification of new emails
- Email metadata (sender, subject, recipients)
- Mailbox statistics
- All WebSocket broadcast data
Recommended Fix
The CheckOrigin function should be removed to allow gorilla/websocket to enforce its default safe behavior (checking that the Origin matches the Host). Alternatively, strict validation logic should be implemented.
Proposed Change (Remove unsafe check):
var upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
// CheckOrigin: func(r *http.Request) bool { return true }, // REMOVED
EnableCompression: true,
}
Proof of Concept (PoC): To reproduce this vulnerability:
- Start Mailpit (default settings).
- Save the following HTML code as poc.html and serve it from a different origin (e.g., using python http.server on port 8000 or opening it directly as a file).
- Open the poc_websocket_hijack.html file in your browser.
- Send a test email to Mailpit or perform any action in the Mailpit UI.
- Observe that the "malicious" page successfully receives the event data.
Summary
The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.
An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.
Vulnerable Code
The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.
mailpit/server/websockets/client.go
Lines 34 to 39 in 877a915
Impact
This vulnerability impacts the Confidentiality of the data stored in or processed by Mailpit.
Although Mailpit is often used as a local development tool, this vulnerability allows remote exploitation via a web browser.
Attack Impact
Recommended Fix
The
CheckOriginfunction should be removed to allow gorilla/websocket to enforce its default safe behavior (checking that the Origin matches the Host). Alternatively, strict validation logic should be implemented.Proposed Change (Remove unsafe check):
Proof of Concept (PoC): To reproduce this vulnerability: