GHSA-r7g4-qg5f-qqm2: Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
Nodemailer disables TLS certificate verification in its internal HTTPS fetch client through the use of rejectUnauthorized: false inside lib/fetch/index.js.
As a result, OAuth2 token requests trust invalid or self-signed HTTPS certificates and transmit sensitive OAuth credentials over connections that should fail TLS validation.
An attacker in a machine-in-the-middle position can intercept OAuth2 credential exchanges and capture:
- OAuth client_secret
- refresh_token
- access tokens
The issue was verified through runtime testing using a self-signed HTTPS OAuth endpoint.
References
Code Behaviors & Features
Detect and mitigate GHSA-r7g4-qg5f-qqm2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →