Mailpit

v1.27.10 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 7mo Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

email-testing go mailpit pop3-server smtp-relay smtp-server

+1 more

smtp-testing

Summary

AI summary

Updates Chore, https://github.com/axllent/mailpit/blob/develop/.github/SECURITY.md, and https://pkg.go.dev/expvar across a mixed release.

Full changelog

This release includes an important security fix, so upgrading is strongly recommended.

An HTTP endpoint was found which exposed expvar runtime information (memory usage, goroutine counts, GC behavior, uptime and potential runtime flags) due to the Prometheus client library dependency. While this information is not typically sensitive in the sense of revealing secrets or private data, it could potentially be used by an attacker to understand more about your system. A special thanks to @lisegmbh for responsibly disclosing the vulnerability.

Security

Prevent potential information disclosure via indirect expvar library (Prometheus)

Chore

Add tooltip to messages nav dropdown
Update GitHub Actions
Update Go dependencies
Update node dependencies

Security Fixes

Prevent potential information disclosure via indirect expvar library (Prometheus) – disclosed by @lisegmbh in https://github.com/axllent/mailpit/blob/develop/.github/SECURITY.md

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Mailpit

Get notified when new releases ship.

About Mailpit

Email testing tool and API for developers

All releases →