Skip to content

rspamd

v4.1.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 11h Network Security
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

c email lua rspamd spam-filter

Affected surfaces

auth rce_ssrf deps

ReleasePort's take

Moderate signal
editorial:auto 9h

ReleasePort Layer 1 version 4.1.0 fixes critical NULL dereference and out‑of‑bounds reads in S/MIME, RAR/ZIP/7‑zip parsers and hardens URL handling; it also introduces incompatible changes to mx_check and fuzzy_check.

Why it matters: Security severity scores are highest (90 for parser bugs) – patch immediately if using affected parsers or the modified modules. The mx_check breaking change requires code updates before upgrade.

Summary

AI summary

Incompatible changes in mx_check/fuzzy_check, bug fixes across parsers and storage, and new /checkv3 metadata support.

Changes in this release

Security Critical

Fixes NULL dereference and OOB reads in S/MIME, RAR/ZIP/7‑zip parsers; hardens against malformed input.

Fixes NULL dereference and OOB reads in S/MIME, RAR/ZIP/7‑zip parsers; hardens against malformed input.

Source: llm_adapter@2026-06-05

Confidence: low
Security High

Bounds URL query‑scan reentrancy and avoids uninitialised bytes in rfc2047 decode; ports libucl upstream security fixes.

Bounds URL query‑scan reentrancy and avoids uninitialised bytes in rfc2047 decode; ports libucl upstream security fixes.

Source: llm_adapter@2026-06-05

Confidence: low
Security High

Fixes NULL dereference and out‑of‑bounds reads in S/MIME parser; bounds recursion depth; hardens RAR/ZIP/7‑zip parsers against malformed input; fixes OOB reads in CSS ident‑escape, find_eoh lookahead, bare spf2. records, empty/all‑dots URL hosts; rejects oversized DNS labels; prevents HTML entity‑decode buffer overflow; adds defensive mime_parser guards.

Fixes NULL dereference and out‑of‑bounds reads in S/MIME parser; bounds recursion depth; hardens RAR/ZIP/7‑zip parsers against malformed input; fixes OOB reads in CSS ident‑escape, find_eoh lookahead, bare spf2. records, empty/all‑dots URL hosts; rejects oversized DNS labels; prevents HTML entity‑decode buffer overflow; adds defensive mime_parser guards.

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Breaking High

Changes mx_check to use three‑layer Redis cache with new outcome symbol MX_NONE.

Changes mx_check to use three‑layer Redis cache with new outcome symbol MX_NONE.

Source: llm_adapter@2026-06-05

Confidence: high
Breaking High

Enables fuzzy_check to discover rspamd.com servers via SRV by default.

Enables fuzzy_check to discover rspamd.com servers via SRV by default.

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Adds Upstreams load‑aware Power of Two Choices selection with latency EWMA, slow start, per‑target SRV expansion and deferred DNS.

Adds Upstreams load‑aware Power of Two Choices selection with latency EWMA, slow start, per‑target SRV expansion and deferred DNS.

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Introduces url_redirector chain‑aware cache, intermediate hop injection, glob‑based redirector_hosts_map and per‑URL GET allowlist.

Introduces url_redirector chain‑aware cache, intermediate hop injection, glob‑based redirector_hosts_map and per‑URL GET allowlist.

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Adds IP‑class classification, bad_mxs/bad_ips trust maps and per‑source checks to mx_check.

Adds IP‑class classification, bad_mxs/bad_ips trust maps and per‑source checks to mx_check.

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Exposes custom metadata via metadata headers and task:get_metadata() in Protocol /checkv3.

Exposes custom metadata via metadata headers and task:get_metadata() in Protocol /checkv3.

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Adds hot‑reloadable dynamic composites map.

Adds hot‑reloadable dynamic composites map.

Source: llm_adapter@2026-06-05

Confidence: high
Feature Medium

Extends Lua API with bulk/regexp symbol lookups, phase‑specific timeouts, on_error callback for lua_tcp, structured loader lua_extras, and feedback parsers.

Extends Lua API with bulk/regexp symbol lookups, phase‑specific timeouts, on_error callback for lua_tcp, structured loader lua_extras, and feedback parsers.

Source: llm_adapter@2026-06-05

Confidence: high
Feature Low

Scan timeouts now report pending async events and stalled symbols when a scan times out.

Scan timeouts now report pending async events and stalled symbols when a scan times out.

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Feature Low

Selectors gain fuzzy_digest, fuzzy_shingles, authenticated, and received_count selectors.

Selectors gain fuzzy_digest, fuzzy_shingles, authenticated, and received_count selectors.

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Feature Low

Logging adds ClickHouse named extra_columns presets (including an outbound preset) and richer Elastic logs with Reply‑To, received IPs, URL metadata, and forcing module details.

Logging adds ClickHouse named extra_columns presets (including an outbound preset) and richer Elastic logs with Reply‑To, received IPs, URL metadata, and forcing module details.

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Feature Low

external_services and scanners add per‑service <RULE>_CHECK anchor symbols for dependency ordering and support the eXpurgate engine in lua_scanners.

external_services and scanners add per‑service <RULE>_CHECK anchor symbols for dependency ordering and support the eXpurgate engine in lua_scanners.

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Feature Low

HTML/HTTP module defines HTML5 tag definitions (video, audio, picture, svg, etc.) and allows optional insertion‑ordered HTTP header emission.

HTML/HTTP module defines HTML5 tag definitions (video, audio, picture, svg, etc.) and allows optional insertion‑ordered HTTP header emission.

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Feature Low

Tooling introduces rspamadm control memstat for per‑worker memory dumps, dmarc_report --batch-wait, and autolearnstats --sort-by / --group options.

Tooling introduces rspamadm control memstat for per‑worker memory dumps, dmarc_report --batch-wait, and autolearnstats --sort-by / --group options.

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Feature Low

Containers & misc add env‑overridable baseline pidfile and logging, auto‑load of the shipped fasttext model when present, and fixed‑point ("%.Nf") formatting with correct rounding in fpconv.

Containers & misc add env‑overridable baseline pidfile and logging, auto‑load of the shipped fasttext model when present, and fixed‑point ("%.Nf") formatting with correct rounding in fpconv.

Source: granite4.1:30b@2026-06-05-audit

Confidence: low
Full changelog

Incompatible changes

  • mx_check: three-layer Redis cache and finer outcome symbols (MX_NONE replaces MX_NXDOMAIN/MX_MISSING)
  • fuzzy_check: discover rspamd.com servers via SRV by default

Features

  • Upstreams: load-aware Power of Two Choices selection, per-upstream latency EWMA, slow start on revive, per-target SRV expansion honouring weights and error budgets, and deferred DNS so transient startup failures no longer drop upstreams
  • url_redirector: chain-aware cache with intermediate hop injection, coherent browser fingerprint profiles for stealth resolution, glob-based redirector_hosts_map, and a per-URL GET allowlist
  • mx_check: IP-class classification, bad_mxs/bad_ips trust maps, and per-source checks
  • Protocol (/checkv3): expose custom metadata via metadata headers and task:get_metadata()
  • Composites: hot-reloadable dynamic composites map
  • Lua API: bulk and regexp symbol lookups on task; phase-specific (connect/read/write) timeouts and an on_error callback for lua_tcp; lua_extras structured loader for custom selectors, maps, and regexps with cross-kind dependency ordering; and lua_feedback_parsers for DSN and ARF reports
  • Scan timeouts: report pending async events and stalled symbols when a scan times out
  • Selectors: add fuzzy_digest, fuzzy_shingles, authenticated, and received_count
  • Logging & reporting: ClickHouse named extra_columns presets (with an outbound preset) and richer Elastic logs (Reply-To, received IPs, URL metadata, forcing module)
  • external_services & scanners: per-service <RULE>_CHECK anchor symbol for dependency ordering, plus eXpurgate engine support in lua_scanners
  • HTML/HTTP: HTML5 tag definitions (video/audio/picture/svg/…) and optional insertion-ordered HTTP header emission
  • Tooling: rspamadm control memstat for per-worker memory dumps (RSS, mempool callsites, Lua heap, jemalloc), dmarc_report --batch-wait, and autolearnstats --sort-by/--group
  • Containers & misc: env-overridable baseline pidfile and logging, auto-load of the shipped fasttext model when present, and fixed-point (%.Nf) formatting with correct rounding in fpconv

Bug fixes

  • Security hardening (parsers): fix NULL deref on S/MIME with empty pkcs7-data, bound S/MIME recursion depth, harden RAR/ZIP/7-zip parsers against malformed input, fix OOB reads in CSS ident-escape scanning, find_eoh lookahead, bare spf2. records, and empty/all-dots URL hosts, reject DNS labels that overrun the packet, prevent an HTML entity-decode buffer overflow, and add defensive mime_parser guards
  • Security hardening (DoS & deps): bound URL query-scan reentrancy on nested query URLs (multipattern), avoid uninitialised bytes in rfc2047 decode, guard image linking against a NULL decoded header, and port libucl upstream security fixes (msgpack, parser bounds, schema)
  • fuzzy_storage: harden network input paths, fix peer-pipe partial-write resume and shutdown drain, plug a per-refresh leak in dynamic ban inserts and a per-frame leak on persistent TCP connections, and stop blocking allowed clients on TCP
  • neural: preserve the trained ANN across symbol-list drift and symcache-driven profile rotation, and stabilise the profile digest under disable_symbols_input while retargeting training to the newest profile
  • upstream: refill the token bucket over time so a flapping upstream recovers, and avoid an infinite loop in get_random when the only candidate is excluded
  • URLs: canonicalise mailto: URIs and bare emails to a slash-less form (RFC 6068), keep URLs with long userinfo (userinfo-obfuscation phishing), preserve the verbatim href as url->raw, and require TLD ≥ 3 chars for word_dot naked-domain matches
  • protocol (/checkv3): apply inline metadata.settings and populate request headers
  • composites: avoid over-eager second-pass deferral so filter-stage composites are visible from postfilters
  • Lua modules: fix a lua_tcp connection leak on read without write, resolve the Redis master for rspamadm tools under Sentinel, use Queue:new() in elastic, floor the dmarc connect timestamp for PUC Lua compatibility, separate the greylisting period from the Redis connection timeout, and write rspamadm vault output to stdout directly
  • Headers & encoding: emit ARC headers deterministically, map DKIM permfail to dkim=permerror in Authentication-Results, honour mime_utf8 in the INVALID_MSGID rule, correct lengths after in-place mime-header rewrites, keep capture groups that follow an empty one in regexp, and skip ICU conversion for the synthetic x-binaryenc charset
  • Misc: track all buckets in ratelimit selector rules, warn when task_timeout is less than the symcache symbol timeout, and use string_view::data() to fix libc++ builds

Full changelog: https://github.com/rspamd/rspamd/compare/4.0.1...4.1.0

Breaking Changes

  • mx_check: three-layer Redis cache introduced with new outcome symbol `MX_NONE` replacing `MX_NXDOMAIN` and `MX_MISSING`.
  • fuzzy_check: DNS SRV discovery of rspamd.com servers enabled by default.

Security Fixes

  • Security hardening: fixes NULL deref in S/MIME parser, bounds recursion depth, OOB reads in CSS scanning, HTML entity‑decode overflow, URL host validation, DNS label overrun, RAR/ZIP/7‑zip malformed input handling, and libucl upstream security patches.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track rspamd

Get notified when new releases ship.

Sign up free

About rspamd

Rapid spam filtering system.

All releases →

Related context

Beta — feedback welcome: [email protected]