Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
A DoS can occur that immediately halts the system due to the use of an unsafe function.
Advisories for Npm/Nodemailer package
2025
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references. Original Description A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to …
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: "xclow3n@gmail.com x"@internal.domain Using the following code to send mail const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: ""xclow3n@gmail.com …
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: "xclow3n@gmail.com x"@internal.domain Using the following code to send mail const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: ""xclow3n@gmail.com …
2024
nodemailer ReDoS when trying to send a specially crafted email
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
nodemailer ReDoS when trying to send a specially crafted email
Summary A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. Details Regex: /^data:((?:[^;];)(?:[^,])),(.)$/ Path: compile -> getAttachments -> _processDataUrl Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/ Path: _convertDataImages PoC https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6 https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698 Impact ReDoS causes the event loop to stuck a …
2021
Injection Vulnerability
The package nodemailer is vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
2020
Injection Vulnerability
Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending emails.