The legacy Lua implementation of Pony Mail is vulnerable to HTTP request smuggling, enabling unauthenticated attackers to hijack administrative accounts.

The application incorrectly interprets HTTP requests, leading to request smuggling that can be leveraged by an unauthenticated attacker to bypass authentication and seize administrative control.

With a CVSS score of 9.8, this vulnerability represents a critical risk to any remaining instances of the legacy software. Since the project is retired and no patch will be issued, the business impact includes full system takeover and persistent unauthorized access to archived communication data.

Immediate Action: Migrate all data to a supported alternative or the "Pony Mail Foal" implementation immediately, as no patch will be released.

Proactive Monitoring: Review access logs for suspicious administrative logins and unusual HTTP request patterns that deviate from standard usage.

Compensating Controls: Restrict access to the affected instance to a limited, trusted set of users via a VPN or IP-based firewall filtering.

Public Exploit Available: False

Because the maintainers have officially retired this version, it is fundamentally insecure. Immediate decommissioning or migration is the only effective remediation strategy for this vulnerability.