Login Sign Up

CVE-2021-42216

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2021-42216 is a critical cryptographic vulnerability in AnonAddy email forwarding service that allows attackers to bypass email verification and potentially compromise user accounts. The vulnerability affects AnonAddy 0.8.5 and earlier versions, impacting all users of the self-hosted software. Attackers can exploit weak cryptographic implementation to forge verification tokens.

💻 Affected Systems

Products:
  • AnonAddy
Versions: 0.8.5 and earlier
Operating Systems: Linux, Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects self-hosted instances of AnonAddy; cloud service may have been patched earlier.

📦 What is this software?

Anonaddy by Anonaddy

View all CVEs affecting Anonaddy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, unauthorized access to email forwarding services, and potential exposure of sensitive communications.

🟠

Likely Case

Account compromise leading to unauthorized email forwarding, privacy violations, and potential credential theft.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but verification bypass remains possible.

🌐 Internet-Facing: HIGH - AnonAddy is typically deployed as an internet-facing email service.
🏢 Internal Only: LOW - The software is designed for internet-facing deployment.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires understanding of the cryptographic weakness but is technically straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.6 and later

Vendor Advisory: https://github.com/anonaddy/anonaddy/security/advisories

Restart Required: Yes

Instructions:

1. Update to AnonAddy 0.8.6 or later. 2. Run 'composer update' to update dependencies. 3. Clear application cache. 4. Restart PHP-FPM/webserver.

🔧 Temporary Workarounds

Disable email verification temporarily

all

Temporarily disable email verification feature until patched

Edit VerificationController.php to return early with error

🧯 If You Can't Patch

  • Implement network-level restrictions to limit access to verification endpoints
  • Enable detailed logging and monitoring for verification attempts

🔍 How to Verify

Check if Vulnerable:

Check if using AnonAddy version 0.8.5 or earlier by examining the composer.json or package version

Check Version:

grep -r 'version' composer.json || cat vendor/anonaddy/anonaddy/VERSION

Verify Fix Applied:

Verify version is 0.8.6 or later and check that VerificationController.php uses secure cryptographic functions

📡 Detection & Monitoring

Log Indicators:

  • Unusual verification attempts
  • Multiple failed verifications from same IP
  • Verification bypass patterns

Network Indicators:

  • Abnormal traffic to /email/verify endpoints
  • Suspicious verification token patterns

SIEM Query:

source="anonaddy.logs" AND ("verification" OR "verify") AND status="200" AND user_agent="suspicious"

📊 Metadata

CVE ID: CVE-2021-42216
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-326
Published: December 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42216, you might also want to check these:

CVE-2025-7398 9.1

Brocade ASCG versions before 3.3.0 use medium-strength cryptography algorithms on internal ports 900...

Same vulnerability type (CWE-326)
CVE-2023-27987 9.1

Apache Linkis versions up to 1.3.1 use a default authentication token that is too simple and predict...

Same vulnerability type (CWE-326)
CVE-2025-45765 9.1

CVE-2025-45765 is a weak encryption vulnerability in ruby-jwt v3.0.0.beta1 that allows attackers to ...

Same vulnerability type (CWE-326)