GHSA-9j88-vvj5-vhgr: STARTTLS Response Injection and SASL Downgrade in MailKit

Vulnerability ID: GHSA-9J88-VVJ5-VHGR
CVSS Score: 6.5
Published: 2026-04-18

MailKit versions prior to 4.16.0 contain a STARTTLS response injection vulnerability. A network-positioned attacker can inject plaintext protocol responses into the client's internal read buffer before the TLS handshake completes, causing the client to process the injected data post-TLS. This flaw typically facilitates SASL mechanism downgrades.

TL;DR

A flaw in MailKit's stream handling allows a Man-in-the-Middle attacker to inject malicious protocol data during the STARTTLS upgrade. The unflushed internal buffer causes the client to process this unencrypted data as a legitimate post-TLS response, enabling authentication downgrades.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-74
• Attack Vector: Network (MitM)
• CVSS Score: 6.5
• Impact: Integrity (High) - SASL Downgrade
• Exploit Status: Proof-of-Concept

Affected Systems

• MailKit < 4.16.0
• MailKit: < 4.16.0 (Fixed in: 4.16.0)

Mitigation Strategies

• Update MailKit to version 4.16.0 or newer.
• Enforce implicit TLS (SslOnConnect) on dedicated secure ports (465, 993, 995) instead of relying on STARTTLS.

Remediation Steps:

1. Identify projects referencing MailKit via csproj or packages.config.
2. Update the NuGet package reference to version 4.16.0 or higher.
3. Recompile and deploy the application.
4. Audit network configurations to ensure implicit TLS is preferred over explicit STARTTLS.

References

• GitHub Advisory: GHSA-9j88-vvj5-vhgr
• OSV Record
• MailKit Repository
• Vendor Security Advisory

Read the full report for GHSA-9J88-VVJ5-VHGR on our website for more details including interactive diagrams and full exploit analysis.