CVE-2024-49395 is a vulnerability identified in the mutt and neomutt email clients related to their implementation of PGP encryption. Specifically, when encrypting emails, these clients fail to utilize the --hidden-recipient mode of PGP. The --hidden-recipient mode is designed to conceal the Bcc (blind carbon copy) recipients from other recipients by encrypting the recipient list in a way that does not reveal Bcc addresses. Without this mode, the Bcc header can be inferred from the encrypted message metadata or recipient information, leading to unintended disclosure of sensitive recipient data. This exposure can compromise the privacy of Bcc recipients, which is a fundamental feature of email confidentiality. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a network attack vector with low complexity, no privileges required, and no user interaction needed. The scope is unchanged, and the impact is limited to confidentiality loss; integrity and availability remain unaffected. No known exploits have been reported in the wild, and no patches or fixes have been linked yet. The issue was reserved in mid-October 2024 and published in November 2024. This vulnerability is particularly relevant for users who rely on mutt or neomutt for secure email communications, especially in environments where Bcc privacy is critical.

The primary impact of CVE-2024-49395 is the unintended disclosure of Bcc recipients in encrypted emails sent using mutt or neomutt. This compromises the confidentiality of email communications by exposing metadata that is expected to remain private. Organizations that rely on these clients for secure communications risk leaking sensitive recipient information, which could lead to privacy violations, loss of trust, or exposure of sensitive relationships or operational details. Although the vulnerability does not affect message integrity or availability, the confidentiality breach can have serious consequences in sectors such as government, legal, healthcare, and corporate environments where email privacy is paramount. The ease of exploitation is high since no authentication or user interaction is required, and the attack vector is network-based (sending or intercepting emails). However, the scope is limited to users of mutt and neomutt, which are niche email clients primarily used by privacy-focused or technical users rather than mass-market email clients. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation.

To mitigate CVE-2024-49395, users and organizations should first monitor official mutt and neomutt project channels for patches or updates that enable the use of the --hidden-recipient mode or otherwise address this metadata leakage. Until a patch is available, users should consider the following specific actions: 1) Avoid using Bcc recipients in encrypted emails sent via mutt or neomutt if confidentiality of recipient lists is critical; 2) Use alternative email clients or encryption tools that properly support hidden recipients in PGP; 3) Employ additional layers of encryption or secure communication channels to protect metadata; 4) Educate users about the risk of metadata leakage and encourage cautious use of Bcc in sensitive communications; 5) For organizations, implement email gateway solutions that can sanitize or re-encrypt emails to prevent metadata exposure; 6) Conduct audits of email usage policies to minimize reliance on Bcc in sensitive contexts; 7) Consider deploying network monitoring to detect unusual patterns that might indicate exploitation attempts. These steps go beyond generic advice by focusing on the specific nature of the metadata leakage and the affected clients.