HTTP Header Injection Affecting nodemailer package, versions <6.6.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
2.35% (91st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-NODEMAILER-1296415
  • published28 Jun 2021
  • disclosed24 May 2021
  • creditAdam Williams

Introduced: 24 May 2021

CVE-2021-23400  (opens in a new tab)
CWE-644  (opens in a new tab)
First added by Snyk

How to fix?

Upgrade nodemailer to version 6.6.1 or higher.

Overview

nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

PoC:

const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable
await transporter.sendMail({
from: '...',
to: '...',
replyTo: {
name: 'Customer',
address: userEmail,
},
subject: 'My Subject',
text: message,
});

CVSS Scores

version 3.1