swoosh is vulnerable to Server-Side Request Forgery (SSRF)
21
Low Risk
Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the path /users/{from}/sendMail without percent-encoding or validation. In lib/swoosh/adapters/ms_graph.ex, api_endpoint_url/2 places the from value verbatim into the URL, and deliver/2 issues an authenticated POST to that constructed endpoint using the application's Graph bearer token. In applications that derive the from address from untrusted or user-influenced input (such as a relay, contact form, or send-as feature), an attacker can inject URL-special characters (/, ?, #) into the local part of the address to escape the intended path segment and rewrite the request's path and query string. Because the redirected request is still sent with the application's Microsoft Graph credentials, the attacker can steer it to other Graph endpoints within the token's scopes. Applications that always send with a fixed, trusted from address are not affected.
You are affected if you are using a version that falls within the vulnerable range and your application uses Swoosh.Adapters.MsGraph with a from address derived from untrusted or user-influenced input (for example a relay, contact form, or send-as feature). Applications that always send with a fixed, trusted from address are not affected.
swoosh is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.12.0 - 1.26.2.
Upgrade the swoosh library to the patch version. As a workaround, validate or reject sender addresses that contain URL-special characters such as /, ?, #, and .. before passing them to the adapter, or configure a static :url in the MsGraph adapter settings to bypass from interpolation.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant