CVE-2024-27938

Name of the Vulnerable Software and Affected Versions Postal versions less than 3.0.0

Description The issue allows for SMTP Smuggling attacks, which may enable incoming e-mails to be spoofed. This could allow an incoming e-mail to be received by Postal, appearing to be from a server that a user has authorized to send mail on their behalf, but was not the genuine author of the e-mail. The problem does not affect sending outgoing e-mails, as e-mail is re-encoded with <CR><LF> line endings when transmitted over SMTP.

Recommendations For versions less than 3.0.0, upgrade to Postal v3.0.0 or higher to resolve the issue. Once upgraded, Postal will only accept End of DATA sequences which are explicitly <CR><LF>.<CR><LF>, and non-compliant sequences will be logged to the SMTP server log.