Skip to content

Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to message data

Moderate
axllent published GHSA-524m-q5m7-79mm Jan 9, 2026

Package

gomod github.com/axllent/mailpit (Go)

Affected versions

<=1.28.1
< 0.0.0-20260110031614

Patched versions

1.28.2
0.0.0-20260110031614

Description

Summary
The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking (CSWSH) vulnerability.

An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the victim's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, and server statistics in real-time.

Vulnerable Code
The vulnerability exists in server/websockets/client.go where the CheckOrigin function is explicitly set to return true for all requests, bypassing standard Same-Origin Policy (SOP) protections provided by the gorilla/websocket library.

var upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
CheckOrigin: func(r *http.Request) bool { return true }, // allow multi-domain
EnableCompression: true, // experimental compression
}

Impact
This vulnerability impacts the Confidentiality of the data stored in or processed by Mailpit.
Although Mailpit is often used as a local development tool, this vulnerability allows remote exploitation via a web browser.

  • Scenario: A developer has Mailpit running at localhost:8025.
  • Trigger: The developer visits a malicious website (or a compromised legitimate site) in the same browser.
  • Exploitation: The malicious site's JavaScript initiates a WebSocket connection to ws://localhost:8025/api/events. Since the origin check is disabled, the browser allows this cross-origin connection.
  • Data Leak: The attacker receives all broadcasted events, including full email details (subjects, sender/receiver info) and server metrics.

Attack Impact

  • Real-time notification of new emails
  • Email metadata (sender, subject, recipients)
  • Mailbox statistics
  • All WebSocket broadcast data

Recommended Fix
The CheckOrigin function should be removed to allow gorilla/websocket to enforce its default safe behavior (checking that the Origin matches the Host). Alternatively, strict validation logic should be implemented.

Proposed Change (Remove unsafe check):

var upgrader = websocket.Upgrader{
    ReadBufferSize:    1024,
    WriteBufferSize:   1024,
    // CheckOrigin: func(r *http.Request) bool { return true }, // REMOVED
    EnableCompression: true,
}

Proof of Concept (PoC): To reproduce this vulnerability:

  • Start Mailpit (default settings).
  • Save the following HTML code as poc.html and serve it from a different origin (e.g., using python http.server on port 8000 or opening it directly as a file).
  • Open the poc_websocket_hijack.html file in your browser.
  • Send a test email to Mailpit or perform any action in the Mailpit UI.
  • Observe that the "malicious" page successfully receives the event data.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVE ID

CVE-2026-22689

Weaknesses

Missing Origin Validation in WebSockets

The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. Learn more on MITRE.

Credits