Critical SSRF Vulnerability in Axiom Mail Server (CVE-2025-22230)

August 12, 2025
Scott Wu

A critical unauthenticated Server-Side Request Forgery (SSRF) vulnerability has been found in the Axiom Mail Server. The flaw, nicknamed “Mailman’s Detour” and tracked as CVE-2025-22230, allows a remote attacker to force the server to make requests to internal network resources, including cloud metadata services. This vulnerability has a CVSS score of 9.1 (Critical) and could lead to a full cloud infrastructure compromise.

TL;DR:

  • What: A critical unauthenticated SSRF vulnerability in the “Remote Fetch” feature.
  • Affected Software: Axiom Mail Server versions 4.0.0 through 4.5.1.
  • Impact: Attackers can scan internal networks and steal cloud provider credentials (e.g., AWS, Azure, GCP), leading to infrastructure takeover.
  • Action: Update to version 4.5.2 or newer immediately. Also, implement egress filtering as a defense-in-depth measure.

What is Axiom Mail Server?

Axiom Mail Server is a popular, self-hosted email solution for businesses, prized for its robust feature set and administrative control. It includes features for mail migration, archiving, and webmail access.

The “Mailman’s Detour” Vulnerability Explained

Server-Side Request Forgery (SSRF) is a vulnerability where an attacker can trick a server into sending requests to unintended locations. In this case, the flaw is in Axiom’s “Fetch Email from Remote URL” feature, which is designed to help users migrate email accounts.

The feature’s URL validation is insufficient. An attacker can use the public-facing web interface to submit a specially crafted URL that points to an internal, private IP address instead of a public one. The mail server, believing it’s a legitimate request, will fetch data from that internal URL and display the response to the attacker.

The Attack Scenario (Cloud Environments): The most critical impact is in cloud-hosted environments.

  1. An attacker targets an Axiom Mail Server running on a cloud platform like AWS.
  2. They use the “Remote Fetch” feature and provide the URL for the AWS metadata service: http://169.254.169.254/latest/meta-data/iam/security-credentials/.
  3. The Axiom server makes a request to this internal-only address.
  4. The AWS metadata service responds with the temporary IAM role credentials assigned to the server instance.
  5. The Axiom server forwards this response to the attacker, handing them the keys to your cloud infrastructure.

An attacker could trigger this with a simple curl command against the API:

Bash

# Attacker's command to a vulnerable server
curl -X POST 'https://your-axiom-server.com/api/remote_fetch' \
-H 'Content-Type: application/json' \
-d '{"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}'

Impact and Remediation

A successful exploit of CVE-2025-22230 is devastating. An attacker can:

  • Steal cloud credentials from AWS, Azure, or GCP metadata services.
  • Scan your internal network by using the mail server as a proxy.
  • Access internal-only web applications, dashboards, and APIs.
  • Read local files from the mail server itself using the file:/// protocol handler.

Are you affected? You are vulnerable if you are running any version of Axiom Mail Server from 4.0.0 through 4.5.1.

How to Fix It 🛡️ The Axiom Mail development team has released a security patch.

  1. Update the Software: Your first priority is to update your Axiom Mail Server to version 4.5.2 or newer. This version implements strict URL validation and blocks requests to private IP ranges and metadata services.
  2. Implement Egress Filtering (Defense-in-Depth): As a crucial secondary control, configure your firewall or cloud security groups to block all outbound traffic from the mail server to 169.254.169.254. This network-level control provides an extra layer of protection against this and future SSRF vulnerabilities.
  3. Rotate Credentials: If you are running in a cloud environment, you should assume existing credentials have been compromised and rotate them immediately after patching.

Resources and Citations

  • Official Axiom Mail Website: https://www.axiom-mail.io
  • Official GitHub Repository: https://github.com/AxiomMail/Axiom
  • Official Security Advisory: https://github.com/AxiomMail/Axiom/security/advisories/GHSA-fictional-pqrs-2230
  • NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-22230
  • Discoverer’s Technical Blog: https://rhinosecuritylabs.com/aws/cve-2025-22230-axiom-ssrf/
  • General