Skip to content

Mailpit

v1.29.3 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 2mo Communication & Email
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

email-testing go mailpit pop3-server smtp-relay smtp-server
+1 more
smtp-testing

Affected surfaces

auth rce_ssrf

Summary

AI summary

HTML sanitization enhancements and proxy request size limit mitigate injection and OOM attacks.

Full changelog

Security

  • Enhance CORS origin handling to respect host:port distinctions
  • Limit proxy requests to 50MB to prevent OOM attacks
  • Enhance HTML sanitization in message view
  • Enhance HTML sanitization in screenshot generation
  • Escape ContentID in HTML replacement to prevent regex injection

Chore

  • Use last release + git hash in Docker edge versions
  • Refactor code with go fix
  • Switch to math/rand/v2
  • Refactor API send authentication logic
  • Refactor events websocket middleware
  • Set timeout for HTTP client in webhook Send function
  • Use local hostname for EHLO/HELO in SMTP communication
  • Simplify HTML decoding function in screenshot generation using DOMParser
  • Set margin & padding to HTML screenshot to prevent transparent top/left border
  • Replace localStorage retrieval with a dedicated function for default release addresses
  • Limit subject length to 100 characters in browser notifications
  • Improve transaction handling in pruneMessages and fix loop continuation in InitDB
  • Update Content-Disposition header to use inline display and escape filename
  • Refactor timezone handling in searchQueryBuilder
  • Update Go dependencies
  • Update node dependencies

Fix

  • Update SQL query to use tenant when using is:tagged filter

Security Fixes

  • CORS origin handling now respects host:port distinctions
  • Proxy requests limited to 50 MB preventing OOM attacks
  • HTML sanitization in message view and screenshot generation enhanced
  • ContentID escaping prevents regex injection
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Mailpit

Get notified when new releases ship.

Sign up free

About Mailpit

Email testing tool and API for developers

All releases →

Related context

Beta — feedback welcome: [email protected]