Advisories for Golang/Github.com/Foxcpp/Maddy package

2026

Maddy Mail Server has an LDAP Filter Injection via Unsanitized Username

The auth.ldap module constructs LDAP search filters and DN strings by directly interpolating user-supplied usernames via strings.ReplaceAll() without any LDAP filter escaping. An attacker who can reach the SMTP submission (AUTH PLAIN) or IMAP LOGIN interface can inject arbitrary LDAP filter expressions through the username field, enabling identity spoofing, LDAP directory enumeration, and attribute value extraction. The go-ldap/ldap/v3 library—already imported in the same file—provides ldap.EscapeFilter() specifically for this purpose, but …

2023

Authentication Bypass by Primary Weakness

maddy is a composable, all-in-one mail server. Starting with version 0.2.0 and prior to version 0.6.3, maddy allows a full authentication bypass if SASL authorization username is specified when using the PLAIN authentication mechanisms. Instead of validating the specified username, it is accepted as is after checking the credentials for the authentication username. maddy 0.6.3 includes the fix for the bug. There are no known workarounds.

2022

Use of a Key Past its Expiration Date in Maddy Mail Server

Any configuration on any maddy version <0.5.4 using auth.pam is affected. No password expiry or account expiry checking is done when authenticating using PAM.

Use of a Broken or Risky Cryptographic Algorithm in Max Mazurov Maddy

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information.

2021

MD5 hash support in github.com/foxcpp/maddy

Impact This vulnerability affects maddy 0.5.1, 0.5.0 users using auth.shadow module and an extremely outdated system that still allows MD5 hashes in /etc/shadows. Patches Patch is available as part of the 0.5.2 release. Workarounds Ensure MD5 hashes are not present in /etc/shadow.

S3 storage write is not aborted on errors leading to unbounded memory usage

Impact Anyone using storage.blob.s3 introduced in 0.5.0 with storage.imapsql. storage.imapsql local_mailboxes { … msg_store s3 { … } } Patches The relevant commit is pushed to master and will be included in the 0.5.1 release. No special handling of the issue has been done due to the small amount of affected users. Workarounds None. References Original report: https://github.com/foxcpp/maddy/issues/395 Fix: https://github.com/foxcpp/maddy/commit/07c8495ee4394fabbf5aac4df8aebeafb2fb29d8