Executive Summary

This vulnerability is a Cross-Site WebSocket Hijacking (CSWSH) issue in the Mailpit WebSocket server. The server was configured to accept WebSocket connections from any origin without validating the Origin header, which bypasses the browser's Same-Origin Policy protections. An attacker can host a malicious website that, when visited by a developer running Mailpit locally, establishes a WebSocket connection to the developer's Mailpit instance (default ws://localhost:8025). This allows the attacker to intercept sensitive data such as email contents, headers, sender and recipient information, and server statistics in real-time. The root cause is that the CheckOrigin function in the WebSocket upgrader was set to always return true, disabling origin validation. This vulnerability was fixed by removing this unsafe override to restore proper origin checking. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a breach of confidentiality by allowing an attacker to intercept sensitive data transmitted over the WebSocket connection. Specifically, if a developer running Mailpit locally visits a malicious website, the attacker can hijack the WebSocket connection to Mailpit and access real-time email contents, headers, sender and recipient information, and server statistics without any authentication or privileges. This can expose sensitive email data and server metrics to unauthorized remote attackers, potentially compromising privacy and security. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Mailpit WebSocket server is accepting connections from any origin without validating the Origin header. One way to detect this is to attempt to establish a WebSocket connection from a different origin to the Mailpit WebSocket endpoint (default ws://localhost:8025/api/events) and see if the connection is accepted. For example, you can use a command-line WebSocket client or a simple JavaScript snippet in a browser console from a different origin to connect to ws://localhost:8025/api/events. If the connection succeeds without origin validation, the system is vulnerable. Additionally, inspecting the Mailpit server code or configuration for the presence of a CheckOrigin function that always returns true can confirm the vulnerability. Specific commands might include using tools like 'websocat' or 'wscat' to connect to the WebSocket endpoint from a different origin, e.g.: wscat -c ws://localhost:8025/api/events. If the connection is accepted without origin restrictions, the vulnerability exists. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Mailpit to version 1.28.2 or later, where the vulnerability has been patched. The patch removes the unsafe CheckOrigin override in the WebSocket upgrader, restoring proper Origin header validation. If upgrading is not immediately possible, a temporary mitigation is to modify the Mailpit WebSocket server configuration to implement strict origin validation logic instead of allowing all origins. Specifically, remove or disable the CheckOrigin function that always returns true, allowing the default gorilla/websocket library origin checks to apply. This prevents cross-origin WebSocket connections and blocks the Cross-Site WebSocket Hijacking attack. [1, 2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to intercept sensitive email data, including contents, headers, and sender/recipient information, in real-time without authentication. Such unauthorized disclosure of sensitive personal or confidential information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and health-related data against unauthorized access and breaches. Therefore, the vulnerability poses a risk to compliance by potentially exposing protected data to attackers. [1]

Useful 0 Not Useful 0