send-email@1.0.1

Vulnerabilities

2 via 2 paths

Dependencies

1

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@4.7.0

Detailed paths

  • Introduced through: send-email@1.0.1 nodemailer@4.7.0
    Remediation: Upgrade to nodemailer@6.4.16.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to Command Injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

PoC

-bi@example.com (-bi Initialize the alias database.)
-d0.1a@example.com (The option -d0.1 prints the version of sendmail and the options it was compiled with.)
-Dfilename@example.com (Debug output ffile)

Remediation

Upgrade nodemailer to version 6.4.16 or higher.

References

medium severity

HTTP Header Injection

  • Vulnerable module: nodemailer
  • Introduced through: nodemailer@4.7.0

Detailed paths

  • Introduced through: send-email@1.0.1 nodemailer@4.7.0
    Remediation: Upgrade to nodemailer@6.6.1.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

PoC:

const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable
await transporter.sendMail({
from: '...',
to: '...',
replyTo: {
name: 'Customer',
address: userEmail,
},
subject: 'My Subject',
text: message,
});

Remediation

Upgrade nodemailer to version 6.6.1 or higher.

References