Find, fix and prevent vulnerabilities in your code.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Interpretation Conflict due to improper handling of quoted local-parts containing @. An attacker can cause emails to be sent to unintended external recipients or bypass domain-based access controls by crafting specially formatted email addresses with quoted local-parts containing the @ character.

Remediation

Upgrade nodemailer to version 7.0.7 or higher.

References

• GitHub Commit

Overview

url-parse is a Small footprint URL parser that works seamlessly across Node.js and browser environments.

Affected versions of this package are vulnerable to Access Restriction Bypass due to improper parsing process, that may lead to incorrect handling of authentication credentials and hostname, which allows bypass of hostname validation.

PoC:

// PoC.js
 var parse = require('url-parse')
var cc=parse("http://admin:password123@@127.0.0.1")

//Output:
{ slashes: true,
  protocol: 'http:',
  hash: '',
  query: '',
  pathname: '/',
  auth: 'admin:password123',
  host: '@127.0.0.1',
  port: '',
  hostname: '@127.0.0.1',
  password: 'password123',
  username: 'admin',
  origin: 'http://@127.0.0.1',
  href: 'http://admin:password123@@127.0.0.1/' }

Remediation

Upgrade url-parse to version 1.5.6 or higher.

References

• GitHub Commit
• GitHub PR

Overview

url-parse is a Small footprint URL parser that works seamlessly across Node.js and browser environments.

Affected versions of this package are vulnerable to Authorization Bypass via the hostname field of a parsed URL, because "url-parse" is unable to find the correct hostname when no port number is provided in the URL.

PoC:

var Url = require('url-parse');
var PAYLOAD = "http://example.com:";

console.log(Url(PAYLOAD));

// Expected hostname: example.com
// Actual hostname by url-parse: example.com:

Output:

{
  slashes: true,
  protocol: 'http:',
  hash: '',
  query: '',
  pathname: '/',
  auth: '',
  host: 'example.com:',
  port: '',
  hostname: 'example.com:',
  password: '',
  username: '',
  origin: 'http://example.com:',
  href: 'http://example.com:/'
}

Remediation

Upgrade url-parse to version 1.5.8 or higher.

References

• GitHub Commit

Overview

Affected versions of this package are vulnerable to Missing Release of Resource after Effective Lifetime via the makeres function due to improperly deleting keys from the reqs object after execution of callbacks. This behavior causes the keys to remain in the reqs object, which leads to resource exhaustion.

Exploiting this vulnerability results in crashing the node process or in the application crash.

Note: This library is not maintained, and currently, there is no fix for this issue. To overcome this vulnerability, several dependent packages have eliminated the use of this library.

To trigger the memory leak, an attacker would need to have the ability to execute or influence the asynchronous operations that use the inflight module within the application. This typically requires access to the internal workings of the server or application, which is not commonly exposed to remote users. Therefore, “Attack vector” is marked as “Local”.

PoC

const inflight = require('inflight');

function testInflight() {
  let i = 0;
  function scheduleNext() {
    let key = `key-${i++}`;
    const callback = () => {
    };
    for (let j = 0; j < 1000000; j++) {
      inflight(key, callback);
    }

    setImmediate(scheduleNext);
  }


  if (i % 100 === 0) {
    console.log(process.memoryUsage());
  }

  scheduleNext();
}

testInflight();

Remediation

There is no fixed version for inflight.

References

• GitHub Issue
• GitHub PR

Overview

url-parse is a Small footprint URL parser that works seamlessly across Node.js and browser environments.

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to incorrect conversion of @ in the protocol field of the HREF.

PoC:

parse = require('url-parse')

console.log(parse("http:@/127.0.0.1"))

Output:

{
  slashes: true,
  protocol: 'http:',
  hash: '',
  query: '',
  pathname: '/127.0.0.1',
  auth: '',
  host: '',
  port: '',
  hostname: '',
  password: '',
  username: '',
  origin: 'null',
  href: 'http:///127.0.0.1'
}

Remediation

Upgrade url-parse to version 1.5.7 or higher.

References

• GitHub Commit
• GitHub PR

Overview

url-parse is a Small footprint URL parser that works seamlessly across Node.js and browser environments.

Affected versions of this package are vulnerable to Improper Input Validation. It mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.

Remediation

Upgrade url-parse to version 1.5.0 or higher.

References

• GitHub Commit
• GitHub PR

Overview

url-parse is a Small footprint URL parser that works seamlessly across Node.js and browser environments.

Affected versions of this package are vulnerable to Open Redirect due to improper escaping of slash characters.

Remediation

Upgrade url-parse to version 1.5.2 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub PR