HTTP Header Injection Affecting nodemailer package, versions <6.6.1

  • Exploit Maturity

    Proof of concept

  • Attack Complexity


  • User Interaction


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    28 Jun 2021

  • disclosed

    24 May 2021

  • credit

    Adam Williams

How to fix?

Upgrade nodemailer to version 6.6.1 or higher.


nodemailer is an Easy as cake e-mail sending from your Node.js applications

Affected versions of this package are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.


const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable
await transporter.sendMail({
from: '...',
to: '...',
replyTo: {
name: 'Customer',
address: userEmail,
subject: 'My Subject',
text: message,