{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mailpit/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mailpit"],"_cs_severities":["medium"],"_cs_tags":["dos","memory exhaustion","cve-2026-45713","mailpit"],"_cs_type":"advisory","_cs_vendors":["axllent"],"content_html":"\u003cp\u003eMailpit is susceptible to an unauthenticated remote denial-of-service (DoS) attack due to the absence of input size validation for SMTP DATA payloads and HTTP requests to the \u003ccode\u003e/api/v1/send\u003c/code\u003e endpoint. Specifically, the \u003ccode\u003eServer.MaxSize\u003c/code\u003e field in the Mailpit SMTP server, intended to control the maximum allowed DATA payload size, is never assigned a value, effectively disabling the size limit. Similarly, the HTTP endpoint lacks \u003ccode\u003ehttp.MaxBytesReader\u003c/code\u003e, resulting in unbounded memory allocation when processing requests. This vulnerability allows a network-reachable attacker to exhaust server memory by sending arbitrarily large messages via SMTP or HTTP, leading to an out-of-memory (OOM) condition and subsequent process termination. The default configuration binds listeners to \u003ccode\u003e[::]:1025\u003c/code\u003e (SMTP) and \u003ccode\u003e[::]:8025\u003c/code\u003e (HTTP) without authentication, exacerbating the risk. The issue affects Mailpit versions prior to 1.30.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a connection to the Mailpit SMTP server on \u003ccode\u003e[::]:1025\u003c/code\u003e or the HTTP server on \u003ccode\u003e[::]:8025\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFor SMTP, the attacker sends \u003ccode\u003eHELO\u003c/code\u003e, \u003ccode\u003eMAIL FROM\u003c/code\u003e, and \u003ccode\u003eRCPT TO\u003c/code\u003e commands to initiate a mail transaction.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the \u003ccode\u003eDATA\u003c/code\u003e command, signaling the start of the message body.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an arbitrarily large amount of data as the message body. Since the \u003ccode\u003eMaxSize\u003c/code\u003e limit is not enforced, the server buffers all incoming data in memory.\u003c/li\u003e\n\u003cli\u003eFor HTTP, the attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/v1/send\u003c/code\u003e with a large JSON payload in the request body, without exceeding the server\u0026rsquo;s read timeout.\u003c/li\u003e\n\u003cli\u003eMailpit attempts to process the excessively large message, leading to high memory consumption.\u003c/li\u003e\n\u003cli\u003eMemory usage continues to increase as the attacker sends more data, exceeding available system resources.\u003c/li\u003e\n\u003cli\u003eThe Mailpit process is terminated by the operating system due to an out-of-memory (OOM) condition, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated remote attackers to perform a denial-of-service attack against Mailpit installations. This can lead to service disruption, preventing legitimate users from utilizing the email testing functionality. Observed memory amplification reaches factors of 7-10x. The attack also fills disk space as oversized messages are persisted to the SQLite store.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Mailpit to version 1.30.0 or later to remediate CVE-2026-45713.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Mailpit Excessive SMTP Data\u0026rdquo; to identify potential exploitation attempts by monitoring for unusually large SMTP data transfers.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Mailpit Excessive HTTP API Send Payload\u0026rdquo; to identify potential exploitation attempts by monitoring for unusually large HTTP POST requests to the \u003ccode\u003e/api/v1/send\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eConsider implementing network-level rate limiting on ports 1025 (SMTP) and 8025 (HTTP) to mitigate the impact of potential DoS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor system resource utilization (CPU, memory, disk I/O) on servers running Mailpit to detect anomalous behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T15:54:46Z","date_published":"2026-05-19T15:54:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mailpit-dos/","summary":"Mailpit is vulnerable to an unauthenticated remote memory-exhaustion denial-of-service attack due to missing size limits on incoming SMTP DATA and HTTP requests, leading to unbounded memory and disk growth, potentially crashing the application.","title":"Mailpit Unauthenticated Remote Memory Exhaustion DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-mailpit-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Mailpit","version":"https://jsonfeed.org/version/1.1"}