Vulnerability in the Mail gem affecting Rails 3.0.x applications

Skip to first unread message

Michael Koziarski

Jan 26, 2011, 12:10:24 AM1/26/11
Mikel Lindsaar has released a new version of the mail gem which
addresses a potential vulnerability affecting the sendmail delivery
method. As this affects rails users I'm cross posting the
announcement here. For more information see the original

The original report follows:

There is a vulnerability in the sendmail delivery agent of the
Mail gem that could allow an attacker to pass arbitrary commands
to the system.

Versions Affected: Versions 2.2.14 or earlier
Not affected: Any application not using sendmail delivery
Fixed Versions: 2.2.15 or later

An attacker could craft an email address used to send out an email
and inject code that would be executed by the system shell.
All users who are using sendmail to deliver their system email and
running a 2.2.14 or earlier release of Mail should upgrade

Mail version 2.2.15 has been released which fixes this problem and
is available on

Steps to Protect your application.
Update your Gemfile and include:
gem "mail", "~> 2.2.15"

and run
$ bundle install

Or for non bundler systems, install the mail gem 2.2.15 with:
gem install mail

Changing your delivery method to use SMTP or File instead of
Sendmail will also protect you from the potential exploit.
In Mail, instructions on how to use the SMTP or File delivery
methods can be found at:

For Ruby on Rails users, delivery method settings can be found at:

A patch can be found at the following URL for the Mail Sendmail
class for those who are running an earlier version of Mail and
can not update to the latest version.

Thanks to Andy Lindeman for initially reporting the vulnerability
and providing a patch fix and to Steven Lorek for also reporting
the issue.



Reply all
Reply to author
0 new messages