Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rcmh-qjqh-p98v. This link is maintained to preserve external references. Original Description A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
A DoS can occur that immediately halts the system due to the use of an unsafe function.
A DoS can occur that immediately halts the system due to the use of an unsafe function.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references. Original Description A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to …
The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: "xclow3n@gmail.com x"@internal.domain Using the following code to send mail const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ service: "gmail", auth: { user: "", pass: "", }, }); let mailOptions = { from: '"Test Sender" <your_email@gmail.com>', to: ""xclow3n@gmail.com …
This advisory duplicates another.
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
This advisory duplicates another.
The package nodemailer is vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending emails.