GHSA-9j88-vvj5-vhgr: STARTTLS Response Injection and SASL Downgrade in MailKit
Vulnerability ID: GHSA-9J88-VVJ5-VHGR
CVSS Score: 6.5
Published: 2026-04-18
MailKit versions prior to 4.16.0 contain a STARTTLS response injection vulnerability. A network-positioned attacker can inject plaintext protocol responses into the client's internal read buffer before the TLS handshake completes, causing the client to process the injected data post-TLS. This flaw typically facilitates SASL mechanism downgrades.
TL;DR
A flaw in MailKit's stream handling allows a Man-in-the-Middle attacker to inject malicious protocol data during the STARTTLS upgrade. The unflushed internal buffer causes the client to process this unencrypted data as a legitimate post-TLS response, enabling authentication downgrades.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-74
- Attack Vector: Network (MitM)
- CVSS Score: 6.5
- Impact: Integrity (High) - SASL Downgrade
- Exploit Status: Proof-of-Concept
Affected Systems
- MailKit < 4.16.0
-
MailKit: < 4.16.0 (Fixed in:
4.16.0)
Mitigation Strategies
- Update MailKit to version 4.16.0 or newer.
- Enforce implicit TLS (SslOnConnect) on dedicated secure ports (465, 993, 995) instead of relying on STARTTLS.
Remediation Steps:
- Identify projects referencing MailKit via csproj or packages.config.
- Update the NuGet package reference to version 4.16.0 or higher.
- Recompile and deploy the application.
- Audit network configurations to ensure implicit TLS is preferred over explicit STARTTLS.
References
Read the full report for GHSA-9J88-VVJ5-VHGR on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)