Summary
Expired tokens can be renewed without validating the account password
Issue details
Because it was originally designed for use as an interactive, local-only service on a single device, the proxy automatically resets account access tokens if incorrect IMAP/POP/SMTP login details are provided. For public-facing deployments, the delete_account_token_on_password_error option is provided, and can be set to False to disable this behaviour, which would normally be only a nuisance, rather than a security risk.
Regardless of this option's value, the proxy encrypts locally-stored tokens, and requires interactive re-authentication (or, with the resource owner password credentials grant (ROPCG) flow, the correct remote account password) to renew tokens if they expire or are reset. The proxy's token retrieval implementation was created with this interactive process in mind.
The CCG flow is an administrator-level method that grants broad access without user knowledge or consent, no user interaction (or remote account password) is ever required. From 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f until the fix in eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa, when CCG tokens neared their expiry date (or had already expired), and the original unencrypted client_secret value was available they were automatically reset, renewed and encrypted with the given login password, but without checking whether that password was actually able to decrypt the existing token.
Detecting unauthorised access
If you do not use the OAuth 2.0 CCG flow (which is currently only known to be supported by O365), unauthorised account access was not possible.[^1] Attempts to exploit this flaw will be revealed in the same way as any other malicious access: an unexpected reauthorisation prompt from the proxy when trying to log in with the legitimate account details.
When using the CCG flow, if you have set delete_account_token_on_password_error = False, unauthorised access will be revealed by the presence of an unexpected login failure from the proxy when attempting to log in with the correct password.
It you have not set this value, it is not possible to detect unauthorised access in O365 CCG mode except via AAD/Entra or other external logs. However, it is also worth reiterating that the CCG flow should never be used in a publicly-accessible context due to the significant and potentially dangerous account control it provides.
[^1]: If you are using a provider that does not provide an OAuth 2.0 refresh token (or have configured your account's scope so that this is not present), it is possible to trigger the line of code that caused this issue, but there is no way to use it for account access because interactive authentication is still required.
Impact
In versions of the proxy from 2022-09-05 onwards (since 8c874c2ff3d503ac20c7d32f46e08547fcb9e23f), expired OAuth 2.0 client credentials grant (CCG) flow authorisation tokens could be renewed automatically without checking their validity against the original account configuration (i.e., the password that was set up when first creating an account in the proxy).
An attacker with knowledge of valid account addresses and careful timing (specifically, attempting to log in during a period from 10 minutes prior to the token expiry time, but before a genuine login request is received) could use this issue to gain access to an account.
This issue is only a security concern if you use the proxy with the CCG flow and no additional account secret encryption (see below). If this is the case, it is particularly important to update if you use the proxy in a publicly-accessible setting (i.e., it is available from the internet or across a network). To fix the issue you should switch to version 2023-12-19 or later of the proxy immediately.
If you use this flow, but have also set encrypt_client_secret_on_first_use = True and removed the original client_secret value from the proxy's configuration file then this issue is not a concern.
For all other use-cases (e.g., a normal interactive account authentication, or the ROPCG flow), this issue is also not a concern. However, it is always recommended as best practice to keep the proxy up-to-date.
GHSA-9WGG-M99Q-HHFC has a CVSS score of 8.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2023.12.19); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Email OAuth 2.0 Proxy version 2023-12-19 (commit eaaa1a2e7a132bf0958dd2f99a749ad98e3212aa) fixes this issue.
Frequently Asked Questions
- What is GHSA-9WGG-M99Q-HHFC? GHSA-9WGG-M99Q-HHFC is a high-severity security vulnerability in emailproxy (pip), affecting versions <= 2023.11.18. It is fixed in 2023.12.19.
- How severe is GHSA-9WGG-M99Q-HHFC? GHSA-9WGG-M99Q-HHFC has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of emailproxy are affected by GHSA-9WGG-M99Q-HHFC? emailproxy (pip) versions <= 2023.11.18 is affected.
- Is there a fix for GHSA-9WGG-M99Q-HHFC? Yes. GHSA-9WGG-M99Q-HHFC is fixed in 2023.12.19. Upgrade to this version or later.
- Is GHSA-9WGG-M99Q-HHFC exploitable, and should I be worried? Whether GHSA-9WGG-M99Q-HHFC is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-9WGG-M99Q-HHFC is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-9WGG-M99Q-HHFC? Upgrade
emailproxyto 2023.12.19 or later.