GHSA-vvjj-xcjg-gr5g: Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)

April 8, 2026

Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters (\r\n). An attacker who can influence this option can inject arbitrary SMTP commands, enabling unauthorized email sending, email spoofing, and phishing attacks.

References

github.com/advisories/GHSA-vvjj-xcjg-gr5g
github.com/nodemailer/nodemailer
github.com/nodemailer/nodemailer/commit/0a43876801a420ca528f492eaa01bfc421cc306e
github.com/nodemailer/nodemailer/releases/tag/v8.0.5
github.com/nodemailer/nodemailer/security/advisories/GHSA-vvjj-xcjg-gr5g

Code Behaviors & Features

Detect and mitigate GHSA-vvjj-xcjg-gr5g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →