Intel

AIKIDO-2026-861989

imapflow is vulnerable to STARTTLS Response Injection

STARTTLS Response Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 29, 2026

65

Medium Risk

This Affects:

JSimapflow
1.0.0 - 1.3.5
Fixed in 1.3.6
Are you affected? Scan for Free

TL;DR

ImapFlow upgrades plaintext IMAP connections to TLS with the STARTTLS command, but before the fix it does not verify that the server stayed silent between the tagged STARTTLS OK and the TLS handshake. A man-in-the-middle can inject plaintext IMAP data right after the OK, and those buffered bytes are then processed as if they had arrived inside the established TLS session. This lets an attacker smuggle forged, trusted server responses into an otherwise encrypted session. The fix detects trailing data through a per-command parser flag and a post-unpipe socket read, failing closed with a STARTTLS_INJECTION error before wrapping the socket.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and connect to IMAP servers over plaintext with a STARTTLS upgrade instead of implicit TLS.

Background info

imapflow is vulnerable to STARTTLS Response Injection in versions 1.0.0 - 1.3.5.

How to fix this

Upgrade the imapflow library to the patch version.