Mutt: neomutt: in-reply-to email header field it not protected by cryptograpic signing

Vulnerability

The In-Reply-To email header field is not covered by cryptographic signing in mutt (all versions) and neomutt (all versions). This design flaw means that when a user sends a signed but not encrypted email, the In-Reply-To header can be arbitrarily modified by an attacker without breaking the signature on the rest of the message body [1][2]. The vulnerable code path is reachable during any email send operation that applies signing via protocols such as S/MIME or PGP/MIME, provided the message body is left unencrypted.

Exploitation

An attacker needs network access to intercept or observe a signed, unencrypted email message (e.g., via a man-in-the-middle position or compromised mail server). The attacker then captures the original message, strips or alters the In-Reply-To header to point to a different thread or recipient, and re-sends the tampered message. Because the cryptographic signature covers only the body and certain other headers (e.g., From, Date), the forged In-Reply-To remains undetected. User interaction is not required beyond the initial send [1][2].

Impact

Successful exploitation allows the attacker to impersonate the original sender of a signed email by repurposing the same signed body in a different context. The recipient sees a valid signature, trusts the message as authentic, and may act on the forged reply. This constitutes a high-severity integrity and impersonation compromise, potentially leading to phishing or misdirected communications [1][2].

Mitigation

As of November 2024, no official patch has been released by either mutt or neomutt upstream projects. Workarounds include using full encryption (not just signing) for all sensitive email, or adding manual verification of the In-Reply-To header via external tools. Both Red Hat and the open-source community have acknowledged the issue as a design limitation; users should monitor the respective project repositories for future fixes [1][2].