Could this vulnerability allow extraction of SMTP credentials and be abused for sending emails?

[jonathan8devs]

Hello,

I’m opening a separate security-related question regarding this vulnerability.

Rallly was running in my case inside a Docker container, so OS-level access was of course limited. However, from a security perspective, the application still had access to sensitive configuration such as environment variables and secrets, including SMTP credentials.

My question is therefore focused on the realistic impact within a containerized setup:

Is it possible that this vulnerability could be exploited to access application-level secrets (for example environment variables, config values, or mounted secret files) inside the container?

If so, this could allow an attacker to extract SMTP credentials and authenticate directly against the configured mail server, enabling email abuse (spam, test mails, phishing, reputation damage), even without further compromise of the host system.

From your assessment:

• Would this vulnerability allow reading environment variables, config files, or other in-app secrets?
• In a typical Docker deployment, would exfiltration of SMTP credentials be a plausible impact?
• Or is secret access clearly out of scope for this vulnerability?

Even with container isolation, misuse of application mail credentials would still represent a significant security and operational risk.

Thanks for clarifying the potential security impact.

[lukevella]

Yes, CVE-2025-55182, which affected Rallly v4.5.8 and earlier, can allow remote code execution if exploited. It’s safest to assume an attacker could access anything the application process can access inside the container, including environment variables and other secrets (for example SMTP credentials).

In response to this issue, I rotated credentials for the production instance and recommend you do the same for any affected self-hosted deployments.

[jonathan8devs]

Thank you very much for your reply!

That's exactly what I did!