GHSA-p6gq-j5cr-w38f: Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message

Nodemailer exposes disableFileAccess and disableUrlAccess so an application that passes untrusted message data to the library can forbid that data from reading local files or fetching URLs. Every attachment, alternative, html/text/watchHtml/amp and icalEvent content node honors these flags. The message-level raw option does not.

MailComposer.compile() builds the root MIME node for a raw message without threading the two flags, so a raw: { path: '/etc/passwd' } or raw: { href: 'http://169.254.169.254/…' } message is read / fetched anyway, and the file or HTTP-response bytes become the actual message that is sent by every transport (SMTP, SES, sendmail, stream, JSON). An actor whose input the application intended to sandbox therefore obtains arbitrary local-file disclosure and a full-response SSRF primitive, delivered to a recipient the same actor can choose.

This is the same vulnerability class as the already-published jsonTransport advisory GHSA-wqvq-jvpq-h66f, but a distinct code path (raw root node, not normalize()), and strictly higher impact: the jsonTransport bug only affected the locally-returned JSON, whereas this affects the delivered RFC822 message for all transports.