[GH-ISSUE #635] CVE-2025-15467 #399

New issue

Closed

opened 2026-03-15 14:14:45 +03:00 by kerem · 3 comments

kerem commented 2026-03-15 14:14:45 +03:00

Owner

Copy link

Originally created by @Namoshek on GitHub (Jan 29, 2026).
Original GitHub issue: https://github.com/axllent/mailpit/issues/635

Recently a critical critical CVE-2025-15467 has been published. According to Trivy, the Mailpit image is affected.

Whether this CVE is applicable to Mailpit in the sense that it can be exploited would require its own analysis which is far beyond my scope. However, since the CVE is fixed in the alpine:latest base image, can we simply get a new version with a rebuilt image?

Thanks in advance!

Originally created by @Namoshek on GitHub (Jan 29, 2026). Original GitHub issue: https://github.com/axllent/mailpit/issues/635 Recently a critical critical [CVE-2025-15467](https://avd.aquasec.com/nvd/2025/cve-2025-15467/) has been published. According to Trivy, the Mailpit image is affected. Whether this CVE is applicable to Mailpit in the sense that it can be exploited would require its own analysis which is far beyond my scope. However, since the CVE is fixed in the `alpine:latest` base image, can we simply get a new version with a rebuilt image? Thanks in advance!

kerem closed this issue 2026-03-15 14:14:50 +03:00

kerem commented 2026-03-15 14:14:56 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Jan 29, 2026):

Hi @Namoshek - thanks for the heads-up. Whilst I haven't released a new Mailpit version as such, I have rebuilt & pushed the axllent/mailpit:latest, axllent/mailpit:v1.28.4, axllent/mailpit:v1.28 and the axllent/mailpit:edge docker images, so these images should all be clear of this CVE (or any others at the moment) 👍 I hope this unblocks you?

<!-- gh-comment-id:3820642008 --> @axllent commented on GitHub (Jan 29, 2026): Hi @Namoshek - thanks for the heads-up. Whilst I haven't released a new Mailpit version as such, I have rebuilt & pushed the `axllent/mailpit:latest`, `axllent/mailpit:v1.28.4`, `axllent/mailpit:v1.28` and the `axllent/mailpit:edge` docker images, so these images should all be clear of this CVE (or any others at the moment) 👍 I hope this unblocks you?

kerem commented 2026-03-15 14:15:01 +03:00

Author

Owner

Copy link

@Namoshek commented on GitHub (Jan 30, 2026):

I assumed creating a new tag is the simpliest solution, but your option works for us as well. Thanks for the quick fix!

<!-- gh-comment-id:3824589778 --> @Namoshek commented on GitHub (Jan 30, 2026): I assumed creating a new tag is the simpliest solution, but your option works for us as well. Thanks for the quick fix!

kerem commented 2026-03-15 14:15:06 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Jan 30, 2026):

Absolutely, a new tag is probably easiest (although it does require a socket pull), however given that there are no actual changes to the code I felt it better to just refresh the docket versions. Again, thank you for the cve alert.

<!-- gh-comment-id:3825093674 --> @axllent commented on GitHub (Jan 30, 2026): Absolutely, a new tag is probably easiest (although it does require a socket pull), however given that there are no actual changes to the code I felt it better to just refresh the docket versions. Again, thank you for the cve alert.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

v1.29.7

v1.29.6

v1.29.5

v1.29.4

v1.29.3

v1.29.2

v1.29.1

v1.29.0

v1.28.4

v1.28.3

v1.28.2

v1.28.1

v1.28.0

v1.27.11

v1.27.10

v1.27.9

v1.27.8

v1.27.7

v1.27.6

v1.27.5

v1.27.4

v1.27.3

v1.27.2

v1.27.1

v1.27.0

v1.26.2

v1.26.1

v1.26.0

v1.25.1

v1.25.0

v1.24.2

v1.24.1

v1.24.0

v1.23.2

v1.23.1

v1.23.0

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.21.1

v1.21.0

v1.20.7

v1.20.6

v1.20.5

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.7

v1.18.6

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.1

v1.7.0

v1.6.22

v1.6.21

v1.6.20

v1.6.19

v1.6.18

v1.6.17

v1.6.16

v1.6.15

v1.6.14

v1.6.13

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.0

v1.3.11

v1.3.10

v1.3.9

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.9

v1.2.8

v1.2.7

v1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta1

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1-beta

Labels

Clear labels   

awaiting feedback

  

bug

  

docker

  

documentation

  

enhancement

  

github_actions

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

wontfix

No labels

awaiting feedback

bug

docker

documentation

enhancement

github_actions

invalid

pull-request

question

stale

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mailpit#399

No description provided.