mailslurper icon indicating copy to clipboard operation
mailslurper copied to clipboard
verified publisher icon mailslurper

Security vulnerabilities in dependencies

Open einsibjarni opened this issue 10 months ago • 0 comments

Hi,

I'm the maintainer of the mailslurper port in FreeBSD

I just ran govulncheck on mailslurper repo and it reported 4 known vulnerabilities:

=== Symbol Results ===

Vulnerability #1: GO-2025-3595
    Incorrect Neutralization of Input During Web Page Generation in x/net in
    golang.org/x/net
  More info: https://pkg.go.dev/vuln/GO-2025-3595
  Module: golang.org/x/net
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/mailslurper/SQLiteStorage.go:350:51: mailslurper.SQLiteStorage.GetMailCollection calls sanitizer.XSSService.SanitizeString, which eventually calls html.Tokenizer.Next

Vulnerability #2: GO-2022-0762
    Cross-site scripting due to incorrect sanitization in
    github.com/microcosm-cc/bluemonday
  More info: https://pkg.go.dev/vuln/GO-2022-0762
  Module: github.com/microcosm-cc/bluemonday
    Found in: github.com/microcosm-cc/[email protected]
    Fixed in: github.com/microcosm-cc/[email protected]
    Example traces found:
      #1: pkg/mailslurper/SQLiteStorage.go:350:51: mailslurper.SQLiteStorage.GetMailCollection calls sanitizer.XSSService.SanitizeString, which calls bluemonday.Policy.Sanitize

Vulnerability #3: GO-2022-0588
    Cross-site scripting via leaked style elements in
    github.com/microcosm-cc/bluemonday
  More info: https://pkg.go.dev/vuln/GO-2022-0588
  Module: github.com/microcosm-cc/bluemonday
    Found in: github.com/microcosm-cc/[email protected]
    Fixed in: github.com/microcosm-cc/[email protected]
    Example traces found:
      #1: pkg/mailslurper/ServerPool.go:43:39: mailslurper.NewServerPool calls sanitizer.NewXSSService, which calls bluemonday.UGCPolicy

Vulnerability #4: GO-2020-0015
    Infinite loop when decoding some inputs in golang.org/x/text
  More info: https://pkg.go.dev/vuln/GO-2020-0015
  Module: golang.org/x/text
    Found in: golang.org/x/[email protected]
    Fixed in: golang.org/x/[email protected]
    Example traces found:
      #1: pkg/mailslurper/SMTPMessagePart.go:191:37: mailslurper.SMTPMessagePart.ParseMessages calls ioutil.ReadAll, which eventually calls unicode.utf16Decoder.Transform

Your code is affected by 4 vulnerabilities from 3 modules.
This scan also found 10 vulnerabilities in packages you import and 14
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.

You should update dependencies immediately

einsibjarni avatar Jun 08 '25 08:06 einsibjarni