Roundcube Releases Urgent Security Update to Fix Critical Bugs
Roundcube Webmail has issued an urgent security update addressing eight critical vulnerabilities discovered by independent security researchers.
This release, version 1.6.14, is crucial as webmail servers process highly sensitive corporate and personal communications, making them prime targets. System administrators running Roundcube 1.6.x must apply this update immediately to prevent potential infrastructure compromise and data exposure.
Critical Vulnerabilities Addressed
The update patches several high-severity issues that could allow attackers to manipulate accounts, execute unauthorized actions, or extract sensitive information.
The key vulnerabilities fixed include:
- Pre-Auth Arbitrary File Write: An unsafe deserialization flaw in the Redis and Memcache session handler allows unauthenticated arbitrary file writing, reported by researcher y0us.
- Authentication Bypass: A logic bug permitted changing an account password without the user providing their old password, discovered by flydragon777.
- IMAP Injection and CSRF: A Cross-Site Request Forgery bypass combined with IMAP injection within the mail search function, reported by the Martila Security Research Team.
- Server-Side Request Forgery (SSRF): An SSRF and information disclosure vulnerability triggered via stylesheet links pointing to local network hosts, reported by Georgios Tsimpidas (Frey).
- Cross-Site Scripting (XSS): Malicious script execution triggered through HTML attachment previews, identified by aikido_security.
The most severe vulnerability is the pre-authentication arbitrary-file-write flaw. This stems from unsafe deserialization in session handlers, requiring no prior authentication. Remote attackers could exploit this to write malicious files directly to the server infrastructure, frequently leading to complete system compromise.
Three vulnerabilities specifically targeted Roundcube’s email privacy protections. Webmail clients typically block remote images by default to prevent sender tracking via pixels. Security researchers discovered methods to bypass these protections using specific SVG animate attributes and maliciously crafted body background tags (nullcathedral). A CSS-based mitigation bypass affecting fixed element positioning (not attributed) was also fixed. Resolving these UI bypasses ensures hidden tracking mechanisms and malicious assets remain effectively blocked until user consent.
Deployment and Mitigation Steps
The Roundcube development team considers version 1.6.14 a stable security release and strongly urges immediate adoption.
This update resolves a functional bug affecting PostgreSQL database connections using IPv6 addresses. Administrators must update all active production installations of Roundcube 1.6.x. Performing a comprehensive backup of all webmail data, configuration files, and underlying databases before updating is highly recommended.
Administrators downloading the update from the official GitHub repository should verify the integrity of installation packages using the provided SHA256 checksums to ensure supply chain security.