{"url":"http://public2.vulnerablecode.io/api/packages/83151?format=json","purl":"pkg:pypi/aiosmtpd@1.2.4","type":"pypi","namespace":"","name":"aiosmtpd","version":"1.2.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.6","latest_non_vulnerable_version":"1.4.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/55614?format=json","vulnerability_id":"VCID-u22d-runr-n7fd","summary":"aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. aiosmtpd is vulnerable to inbound SMTP smuggling. SMTP smuggling is a novel vulnerability based on not so novel interpretation differences of the SMTP protocol. By exploiting SMTP smuggling, an attacker may send smuggle/spoof e-mails with fake sender addresses, allowing advanced phishing attacks. This issue is also existed in other SMTP software like Postfix. With the right SMTP server constellation, an attacker can send spoofed e-mails to inbound/receiving aiosmtpd instances. This issue has been addressed in version 1.4.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27305","reference_id":"","reference_type":"","scores":[{"value":"0.00731","scoring_system":"epss","scoring_elements":"0.73159","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00731","scoring_system":"epss","scoring_elements":"0.73236","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-27305"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27305","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27305"},{"reference_url":"https://github.com/aio-libs/aiosmtpd","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiosmtpd"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/aiosmtpd/PYSEC-2024-221.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/aiosmtpd/PYSEC-2024-221.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066820","reference_id":"1066820","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066820"},{"reference_url":"https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb","reference_id":"24b6c79c8921cf1800e27ca144f4f37023982bbb","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T16:13:38Z/"}],"url":"https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27305","reference_id":"CVE-2024-27305","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27305"},{"reference_url":"https://github.com/advisories/GHSA-pr2m-px7j-xg65","reference_id":"GHSA-pr2m-px7j-xg65","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pr2m-px7j-xg65"},{"reference_url":"https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65","reference_id":"GHSA-pr2m-px7j-xg65","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T16:13:38Z/"}],"url":"https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65"},{"reference_url":"https://www.postfix.org/smtp-smuggling.html","reference_id":"smtp-smuggling.html","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-19T16:13:38Z/"}],"url":"https://www.postfix.org/smtp-smuggling.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/29769?format=json","purl":"pkg:pypi/aiosmtpd@1.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-uqa6-scxw-4qby"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aiosmtpd@1.4.5"}],"aliases":["CVE-2024-27305","GHSA-pr2m-px7j-xg65","PYSEC-2024-221"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u22d-runr-n7fd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49734?format=json","vulnerability_id":"VCID-uqa6-scxw-4qby","summary":"aiosmptd is  a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted commands after STARTTLS, treating them as if they came from inside the encrypted connection. This could be exploited by a man-in-the-middle attack. Version 1.4.6 contains a patch for the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34083","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.2295","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22754","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-34083"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34083","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34083"},{"reference_url":"https://github.com/aio-libs/aiosmtpd","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/aio-libs/aiosmtpd"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072119","reference_id":"1072119","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072119"},{"reference_url":"https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda","reference_id":"b3a4a2c6ecfd228856a20d637dc383541fcdbfda","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-28T19:53:50Z/"}],"url":"https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34083","reference_id":"CVE-2024-34083","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34083"},{"reference_url":"https://github.com/advisories/GHSA-wgjv-9j3q-jhg8","reference_id":"GHSA-wgjv-9j3q-jhg8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wgjv-9j3q-jhg8"},{"reference_url":"https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8","reference_id":"GHSA-wgjv-9j3q-jhg8","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-28T19:53:50Z/"}],"url":"https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8"},{"reference_url":"https://nostarttls.secvuln.info","reference_id":"nostarttls.secvuln.info","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-28T19:53:50Z/"}],"url":"https://nostarttls.secvuln.info"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/31508?format=json","purl":"pkg:pypi/aiosmtpd@1.4.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aiosmtpd@1.4.6"}],"aliases":["CVE-2024-34083","GHSA-wgjv-9j3q-jhg8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uqa6-scxw-4qby"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/aiosmtpd@1.2.4"}