Homepage
About Snyk

HTTP Header Injection Affecting nodemailer package, versions <6.6.1

0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.84% (82nd percentile)
Expand this section
NVD
8.8 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-NODEMAILER-1296415
  • published 28 Jun 2021
  • disclosed 24 May 2021
  • credit Adam Williams
Report a new vulnerability Found a mistake?

Introduced: 24 May 2021

CVE-2021-23400 Open this link in a new tab
CWE-644 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade nodemailer to version 6.6.1 or higher.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

PoC:

const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable
await transporter.sendMail({
from: '...',
to: '...',
replyTo: {
name: 'Customer',
address: userEmail,
},
subject: 'My Subject',
text: message,
});