TLS hostname verification disabled when using Boring TLS backend
| Details |
|
| Package |
lettre |
| Version |
0.11.21 |
| URL |
GHSA-4pj9-g833-qx53 |
| Date |
2026-05-14 |
| Patched versions |
>=0.11.22 |
| Unaffected versions |
<0.10.1 |
An inverted-boolean bug in lettre's boring-tls integration silently
disables TLS hostname verification for callers using the default (strict)
configuration. An on-path attacker presenting any chain-valid certificate
for any domain can intercept SMTP submission, including PLAIN/LOGIN
credentials and message contents, against any lettre user built with the
boring-tls feature. Other TLS backends (native-tls, rustls) are
unaffected.
The bug was introduced in v0.10.1 and persists through v0.11.21 (latest).
See advisory page for additional details.
lettre0.11.21>=0.11.22<0.10.1An inverted-boolean bug in lettre's
boring-tlsintegration silentlydisables TLS hostname verification for callers using the default (strict)
configuration. An on-path attacker presenting any chain-valid certificate
for any domain can intercept SMTP submission, including PLAIN/LOGIN
credentials and message contents, against any lettre user built with the
boring-tlsfeature. Other TLS backends (native-tls,rustls) areunaffected.
The bug was introduced in v0.10.1 and persists through v0.11.21 (latest).
See advisory page for additional details.