Cyber Resilience

CVE-2023-51764

MediumPublic PoC

Published: 24 December 2023

Published
24 December 2023
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.2846 96.6th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-51764 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Postfix Postfix. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Postfix through version 3.8.5 is vulnerable to SMTP smuggling because it accepts the sequence <LF>.<CR><LF> in SMTP data even when other mail servers reject it. The flaw stems from insufficient restrictions on bare newlines and pipelining, allowing malformed messages to be processed differently across implementations. Affected deployments that lack the recommended smtpd_data_restrictions or smtpd_discard_ehlo_keywords settings are exposed by default.

Remote attackers who can reach an unpatched or misconfigured Postfix server can inject messages that carry a spoofed MAIL FROM address. This permits bypass of SPF checks on receiving systems that interpret the message differently, enabling phishing or other spoofed-mail campaigns without authentication.

Advisories from Red Hat and oss-security lists recommend applying the configuration smtpd_data_restrictions=reject_unauth_pipelining together with smtpd_discard_ehlo_keywords=chunking, or upgrading to Postfix 3.5.23, 3.6.13, 3.7.9, 3.8.4 or later and enabling smtpd_forbid_bare_newline=yes. These steps close both the original smuggling vector and variant newline-handling attacks.

The EPSS score has remained at 0.2846 since disclosure with no material increase observed.

EU & UK References

Vulnerability details

Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing…

more

bypass of an SPF protection mechanism. This occurs because Postfix supports <LF>.<CR><LF> but some other popular e-mail servers do not. To prevent attack variants (by always disallowing <LF> without <CR>), a different solution is required, such as the smtpd_forbid_bare_newline=yes option with a Postfix minimum version of 3.5.23, 3.6.13, 3.7.9, 3.8.4, or 3.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1684.002 Email Spoofing Stealth
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
Why these techniques?

CVE-2023-51764 enables SMTP smuggling in Postfix, allowing exploitation of a public-facing mail server (T1190) to inject emails with spoofed MAIL FROM addresses, bypassing SPF and facilitating email spoofing (T1672).

Affected Assets

postfix
postfix
≤ 3.5.23 · 3.6.0 — 3.6.13 · 3.7.0 — 3.7.9
fedoraproject
fedora
38, 39
redhat
enterprise linux
8.0, 9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-345

Directly requires independent verification of matching output before adverse decisions, mitigating insufficient authenticity checks on data from external sources.

addresses: CWE-345

Use of approved PKI certificates provides verifiable data authenticity and origin for communications and artifacts.

addresses: CWE-345

Mandates provision of authenticity and integrity artifacts that enable verification of name/address resolution data.

addresses: CWE-345

Requires explicit verification of data authenticity from authoritative sources, preventing acceptance of unauthenticated resolution responses.

addresses: CWE-345

Control requires verification of data authenticity/integrity (e.g., checksums) after aggregation/packing, directly reducing exploitation of insufficient verification before transmission.

addresses: CWE-345

Time synchronization supports reliable freshness verification when checking data authenticity across systems or components.

addresses: CWE-345

Mandates verification of data authenticity for software, firmware, and information.

addresses: CWE-345

Provenance documentation and monitoring directly enables verification of authenticity for components and data throughout their history.

References