Vulnerabilities

 2 via 6 paths

Dependencies

 179

Source

 GitHub

Commit

 02477ed5

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Uncontrolled Recursion

  • Vulnerable module: nodemailer
  • Introduced through: mailparser@3.7.4, nodemailer@6.10.1 and others

Detailed paths

  • Introduced through: @mbtest/mountebank@bbyars/mountebank#02477ed552ebc38c4c91c15e8000f871d87d5a0c mailparser@3.7.4 nodemailer@7.0.4
    Remediation: Upgrade to mailparser@3.9.1.
  • Introduced through: @mbtest/mountebank@bbyars/mountebank#02477ed552ebc38c4c91c15e8000f871d87d5a0c nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@7.0.11.
  • Introduced through: @mbtest/mountebank@bbyars/mountebank#02477ed552ebc38c4c91c15e8000f871d87d5a0c smtp-server@3.14.0 nodemailer@7.0.3
    Remediation: Upgrade to smtp-server@3.17.0.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Uncontrolled Recursion in the addressparser function. An attacker can cause the process to terminate immediately by sending an email address header containing deeply nested groups, separated by many :s.

Remediation

Upgrade nodemailer to version 7.0.11 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

Interpretation Conflict

  • Vulnerable module: nodemailer
  • Introduced through: mailparser@3.7.4, nodemailer@6.10.1 and others

Detailed paths

  • Introduced through: @mbtest/mountebank@bbyars/mountebank#02477ed552ebc38c4c91c15e8000f871d87d5a0c mailparser@3.7.4 nodemailer@7.0.4
    Remediation: Upgrade to mailparser@3.7.5.
  • Introduced through: @mbtest/mountebank@bbyars/mountebank#02477ed552ebc38c4c91c15e8000f871d87d5a0c nodemailer@6.10.1
    Remediation: Upgrade to nodemailer@7.0.7.
  • Introduced through: @mbtest/mountebank@bbyars/mountebank#02477ed552ebc38c4c91c15e8000f871d87d5a0c smtp-server@3.14.0 nodemailer@7.0.3
    Remediation: Upgrade to smtp-server@3.15.0.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of quoted local-parts containing @. An attacker can cause emails to be sent to unintended external recipients or bypass domain-based access controls by crafting specially formatted email addresses with quoted local-parts containing the @ character.

Remediation

Upgrade nodemailer to version 7.0.7 or higher.

References

Interpretation Conflict vulnerability report