nodemailer@1.4.0 vulnerabilities

Easy as cake e-mail sending from your Node.js applications

  • latest version

    6.9.16

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    1 months ago

  • licenses detected

    • >=0.1.1 <3.0.0; >=4.0.0 <6.9.3
  • Direct Vulnerabilities

    Known vulnerabilities in the nodemailer package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Regular Expression Denial of Service (ReDoS)

    nodemailer is an Easy as cake e-mail sending from your Node.js applications

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the attachDataUrls parameter or when parsing attachments with an embedded file. An attacker can exploit this vulnerability by sending a specially crafted email that triggers inefficient regular expression evaluation, leading to excessive consumption of CPU resources.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade nodemailer to version 6.9.9 or higher.

    <6.9.9
    • M
    HTTP Header Injection

    nodemailer is an Easy as cake e-mail sending from your Node.js applications

    Affected versions of this package are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

    PoC:

    const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable
    await transporter.sendMail({
    from: '...',
    to: '...',
    replyTo: {
    name: 'Customer',
    address: userEmail,
    },
    subject: 'My Subject',
    text: message,
    });
    

    How to fix HTTP Header Injection?

    Upgrade nodemailer to version 6.6.1 or higher.

    <6.6.1
    • H
    Command Injection

    nodemailer is an Easy as cake e-mail sending from your Node.js applications

    Affected versions of this package are vulnerable to Command Injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

    PoC

    -bi@example.com (-bi Initialize the alias database.)
    -d0.1a@example.com (The option -d0.1 prints the version of sendmail and the options it was compiled with.)
    -Dfilename@example.com (Debug output ffile)
    

    How to fix Command Injection?

    Upgrade nodemailer to version 6.4.16 or higher.

    <6.4.16