The vulnerability in foxcpp maddy (versions before 0.9.3) is an LDAP injection (CWE-90) caused by improper neutralization of special elements in LDAP queries. The auth.ldap module interpolates usernames into LDAP filters and DN strings using strings.ReplaceAll() without using the available ldap.EscapeFilter() function. This affects three code paths: Lookup() filter, AuthPlain() DN template, and AuthPlain() filter. Exploitation requires network access to SMTP submission or IMAP interfaces and allows attackers to inject arbitrary LDAP filter expressions via the username field in AUTH PLAIN or LOGIN commands. This can lead to identity spoofing, LDAP directory enumeration, and blind extraction of LDAP attributes through authentication response side-channels. The issue is resolved in maddy version 0.9.3.

Successful exploitation allows an unauthenticated attacker with network access to SMTP submission or IMAP interfaces to manipulate LDAP queries used for authentication. This can result in identity spoofing by authenticating as another user, unauthorized enumeration of LDAP directory contents, and extraction of LDAP attribute values through side-channel analysis. The confidentiality and integrity of authentication processes are impacted, but availability is not affected.

This vulnerability is fixed in maddy version 0.9.3. Users should upgrade to version 0.9.3 or later to remediate the issue. There is no official vendor advisory provided here, but the fix is confirmed by the version update. Until upgraded, restrict network access to SMTP submission and IMAP interfaces to trusted users only to reduce exposure.