CVE-2024-42009

What is Roundcube Webmail?

Roundcube is one of the most widely deployed open-source web-based email clients, used by internet service providers, universities, governments, and enterprises globally. It processes and renders HTML email content in the browser — making its HTML sanitization a critical security boundary. Any bypass of sanitization allows email senders to inject JavaScript that executes in the victim's browser context, enabling email account takeover and session theft. Roundcube has a long history of XSS exploitation by sophisticated threat actors including APT28 and Winter Vivern.

See also CVE-2025-68461 (December 2025 Roundcube XSS via SVG animate tag) for a later vulnerability in the same product.

Overview

CVE-2024-42009 is a cross-site scripting vulnerability (CWE-79) in Roundcube Webmail triggered through a desanitization issue in the message_body() function in program/actions/mail/show.php. An attacker can craft a malicious email that, when opened in Roundcube, executes JavaScript in the victim's browser — enabling them to steal email contents, session cookies, and send emails on behalf of the victim. The Changed scope (S:C) and High confidentiality/integrity impacts reflect that the XSS breaks out of the normal same-origin context to affect the victim's full email account. CISA added it to the KEV catalog 10 months after the patch, indicating sustained exploitation of unpatched instances throughout this period.

Affected Versions

Technical Details

The XSS (CWE-79) is a desanitization issue in Roundcube's message_body() function — the code responsible for rendering HTML email bodies. When Roundcube processes a specially crafted HTML email, a specific combination of HTML attributes or tags causes the sanitizer to incorrectly re-introduce malicious content that should have been stripped. The attacker embeds JavaScript in the email body in a way that survives the sanitization pass.

When the victim opens the email in Roundcube, the injected JavaScript executes in the browser:

• Reads email data: accesses other emails, contacts, and account settings via Roundcube's AJAX API
• Steals session cookies (if not HttpOnly) enabling account takeover
• Sends exfiltration requests: forwards email contents to attacker-controlled servers
• Sends emails as the victim: enables phishing or business email compromise from the victim's account

The attack requires only that the victim open the email — zero additional clicks. An attacker sends the crafted email, waits for the target to open it in Roundcube, and collects the exfiltrated data.

Discovery

Not publicly attributed for the initial discovery. The 10-month gap before KEV listing reflects ongoing APT exploitation — likely by state-sponsored actors who prefer to quietly exploit vulnerabilities before they become widely patched.

Exploitation Context

CISA confirmed active exploitation and added to the KEV catalog on June 9, 2025 — 10 months after the August 2024 patch. Roundcube's history of state-sponsored exploitation (APT28 used a Roundcube XSS zero-day in 2023 for diplomatic email surveillance; Winter Vivern targeted European government Roundcube instances) suggests this vulnerability was used in targeted surveillance campaigns during the unpatched period.

The CVSS 9.3 "CRITICAL" rating for an XSS reflects the real-world impact of email surveillance: access to confidential communications, credential theft, and the ability to send emails as the victim for business email compromise.

Remediation

1. Upgrade Roundcube to 1.6.8 or 1.5.8 immediately. The CISA deadline was June 30, 2025.
2. Apply the December 2025 companion patch for CVE-2025-68461 (SVG animate tag XSS) — both target Roundcube's HTML sanitization; upgrade to 1.6.12+/1.5.12+ to address both.
3. Enable HttpOnly on session cookies in Roundcube's configuration — this prevents JavaScript from reading the session cookie even if XSS fires, limiting the attack to same-session impact.
4. Implement Content Security Policy (CSP) headers to restrict inline JavaScript execution in the Roundcube web application.
5. Audit inbound email logs for messages from unknown senders with complex HTML bodies sent to high-value accounts during the August 2024–June 2025 exposure window.