maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usern…

The maddy mail server versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module. User-supplied usernames are interpolated into LDAP search filters without proper escaping, despite available sanitization functions. Attackers with network access to SMTP or IMAP interfaces can inject arbitrary LDAP filter expressions through AUTH PLAIN or LOGIN commands. This enables identity spoofing, LDAP directory enumeration, and blind extraction of attribute values. The vulnerability affects three code paths: Lookup() filter, AuthPlain() DN template, and AuthPlain() filter. Fixed in version 0.9.3.