The mystery of the Mailman 2 CVEs

Many eyebrows were raised recently when three vulnerabilities were announced that allegedly impact GNU Mailman 2.1, since many folks assumed that it was no longer being supported. That's not quite the case. Even though version 3 of the GNU Mailman mailing-list manager has been available since 2015, and version 2 was declared (mostly) end of life (EOL) in 2020, there are still plenty of users and projects still using version 2.1.x. There is, as it turns out, a big difference between mostly EOL and actually EOL. For example: WebPros, the company behind the cPanel server and web-site-management platform, still maintains a port of Mailman 2.1.x to Python 3 for its customers and was quick to respond to reports of vulnerabilities. However, the company and upstream Mailman project dispute that the CVEs are valid.

GNU Mailman 2

Mailman has been in development since 1998, and no doubt many LWN readers have had, or still have, subscriptions to mailing lists managed by some version of the software. The 1.0 release was announced in July 1999, with the 2.0 release following closely in November 2000. The project embarked on a major rewrite for the 3.0 release, which provided support for Python 3 and split Mailman into several components. The new Mailman was not, and still is not, a simple upgrade from the earlier version. It lacked feature parity with 2.1.x when it was first released in 2015, and still lacks a few features (such as topic filters) that users liked.

However, Mailman 2.x does not run on Python 3—and the project has been gently trying to nudge users away from the 2.x series for quite some time. Python 2.x was sunset on January 1, 2020, though it is currently still supported by some Linux vendors as part of long-term-support releases. Mailman core contributor Mark Sapiro said in 2017 that he was the only person still supporting 2.1.x. In 2020, Sapiro announced 2.1.30 as the last release to contain any new features. But he also said that there might be further updates with bug and security fixes, as well as internationalization updates.

The last 2.1.x release, so far, is version 2.1.39, which was announced in December 2021. It fixed two CVEs: a remote-privilege-escalation vulnerability (CVE-2021-42097), and a flaw that could allow list members or moderators to obtain a token to make administrative changes (CVE-2021-44227). According to that announcement, there is still the possibility that there will be more patch releases to address security problems. The Mailman web site also lists 2.1.39 as a current, stable version rather than as an EOL version, but its home page also has a thank you for donors who helped a Mailman core developer attend PyCon 2015. It's just possible that the project's web-site maintenance has fallen a bit behind.

In any case, plenty of users are still on Mailman 2.x with little sign of budging, including those who use the proprietary cPanel control panel. Last year, rather than trying to force its users to migrate, cPanel announced that it would provide extended support for Mailman 2 by upgrading it to Python 3 and taking responsibility for continued maintenance. The cPanel fork of Mailman is on GitHub and is based on a port to Python 3 by Jared Mauch. That fork has received a steady trickle of small commits from WebPros developers, with nearly 30 commits in 2025 from six people.

Vulnerabilities

On April 20, three CVEs were published that are supposed to affect "GNU Mailman 2.1.39, as bundled with cPanel and WHM" by two researchers—Firudin Davudzada and Aydan Musazade—from a company called Datricon. CVE-2025-43919, is described as a path-traversal vulnerability that would allow attackers to read arbitrary files. CVE-2025-43920 claims that unauthenticated attackers can execute arbitrary commands by using shell metacharacters in an email Subject line, if an external archiver (such as MHonArc) is used to archive mailman emails. It does not specify which external archiving software has been tested to produce this vulnerability, but blames Mailman for not sanitizing input to the external archiver. Finally, CVE-2025-43921 reports that unauthenticated attackers could create mailing lists.

Each of the CVEs has a corresponding repository on GitHub (CVE-2025-43919, CVE-2025-43920, and CVE-2025-43921) with a description of the vulnerability, exploitation scenarios, and so forth. The overviews published on GitHub by Davudzada and Musazade claim that these vulnerabilities were discovered in "Q1 2025" and reported to cPanel and the GNU Mailman project in Q1.

Alan Coopersmith forwarded the CVEs to the oss-security list on April 21. Valtteri Vuorikoski replied: "I saw these mentioned earlier and could not reproduce either on a stock 2.1.39 install." Vuorikoski wondered if the vulnerabilities might be specific to the cPanel version.

According to the cPanel support forum, they do not affect its version, either. On April 28, the company posted a support article to say that it had investigated the CVEs "both internally and via third party subject-matter experts" and could not reproduce the vulnerabilities using the information provided. The article also states that there is no record that the reporters attempted to contact the company.

We have contacted the Mailman maintainers, and they do not show any records of an attempted contact from the reporters either. We have attempted to contact the reporter multiple times via their publicly listed email addresses and have received no response. We do not consider these vulnerabilities to be valid. We will be taking no further action unless new information is provided.

I reached out to Sapiro by email, and he said no one with the GNU Mailman project had been contacted "as far as we know" and described the vulnerabilities as "bogus".

CVE-2025-43919 and CVE-2025-43921 ignore the fact that the attacker would need to provide authentication which the proof of concept attacks do not do and hence do not work. Thus, there is no vulnerability.

The vulnerability described by CVE-2025-43920 "relies on a convoluted configuration with an external archiver", he said, and that attack could be carried out equally well by sending the email directly to the archiver. "There are no plans to address this in Mailman 2.1."

I also contacted Datricon about the vulnerabilities and received a reply from Musazade. She said they had emailed cPanel on February 27 before applying for the CVEs, but made no mention of contacting the Mailman maintainers. She said that the lack of response to cPanel was because the messages from cPanel fell on non-business days, though that does not explain why they did not follow up later. However, she said that they have now communicated with the cPanel team—presumably since cPanel published its update on April 28—and would "provide best support and advisory regarding technical explanations of the CVEs" to help them reproduce the issues.

It is not uncommon for vulnerabilities to be difficult to reproduce under differing configurations. Factors such as customized software builds (such as cPanel's Mailman variant), environmental differences, and specific operational conditions (authentication, user permissions), can all impact reproducibility. Nonetheless, reproduction difficulty does not invalidate a vulnerability, especially after independent vetting and CVE assignment by MITRE and [the National Vulnerability Database (NVD)].

MITRE, of course, does not provide independent testing or validation of vulnerability reports and the fact that a CVE was published does not guarantee that it's valid. NIST has updated each of the NVD's CVE entries to note that multiple third parties have reported they are unable to reproduce the vulnerabilities. It's also odd that, despite claiming to have contacted cPanel and the upstream project, those parties dispute that they'd had contact.

No rush

It would seem that users of Mailman 2.1.39, or the cPanel fork, are not in imminent danger. The consensus from all parties—except the reporters—seems to be that the alleged vulnerabilities are not valid. Or "bogus" as Sapiro put it.

However, 2.x is largely a dead end, even if it does not have any currently known vulnerabilities. As Russ Allbery said on the oss-security list, "it's probably more realistic to view Mailman 2 as orphaned, end-of-life software" that will require a major migration.

While cPanel is, currently, providing extended maintenance for the project, there is no indication how long it will continue to do so or that a community is forming around the fork. Those remaining on 2.x should probably be plotting the migration to another mailing-list-manager platform at some point, whether that is Mailman 3, or something like Discourse that provides a discussion forum with the ability to participate via email.