There is no fixed version for deferred-exec .

nodemailer@0.1.20 vulnerabilities

Easy as cake e-mail sending from your Node.js applications

latest version

6.9.16

latest non vulnerable version

6.9.16

first published

13 years ago

latest version published

1 months ago

licenses detected

MIT
>=0.1.1 <3.0.0; >=4.0.0 <6.9.3

View nodemailer package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the nodemailer package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `attachDataUrls` parameter or when parsing attachments with an embedded file. An attacker can exploit this vulnerability by sending a specially crafted email that triggers inefficient regular expression evaluation, leading to excessive consumption of CPU resources. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `nodemailer` to version 6.9.9 or higher.	<6.9.9
M HTTP Header Injection nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object. PoC: `const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable await transporter.sendMail({ from: '...', to: '...', replyTo: { name: 'Customer', address: userEmail, }, subject: 'My Subject', text: message, });` How to fix HTTP Header Injection? Upgrade `nodemailer` to version 6.6.1 or higher.	<6.6.1
H Command Injection nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to Command Injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. PoC `-bi@example.com (-bi Initialize the alias database.) -d0.1a@example.com (The option -d0.1 prints the version of sendmail and the options it was compiled with.) -Dfilename@example.com (Debug output ffile)` How to fix Command Injection? Upgrade `nodemailer` to version 6.4.16 or higher.	<6.4.16