13 matches found
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)
Summary Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters \r\n. A...
06-03-5 (=1.0.0), 80cents (>=0.3.4 <=0.4.24) +2147 more potentially affected by unknown CVE via nodemailer (>=8.0.0 <=8.0.4)
nodemailer NPM version =8.0.0, =0.3.4, =0.1.0, =1.0.0, =1.16.0-feature-320605-mfchyhti, =1.0.1-develop-7a7ecd-mffcpgol, =2.0.0, =1.17.13-beta-20260512-004004-69bacba8, =0.1.0, =0.2.3 and more Source cves: unknown CVE Source advisory: SNYK:JS-NODEMAILER-15930946...
GHSA-C7W3-X93F-QMM8 Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter
Summary When a custom envelope object is passed to sendMail with a size property containing CRLF characters \r\n, the value is concatenated directly into the SMTP MAIL FROM command without sanitization. This allows injection of arbitrary SMTP commands, including RCPT TO — silently adding...
UBUNTU-CVE-2025-14874
A flaw was found in Nodemailer. This vulnerability allows a denial of service DoS via a crafted email address header that triggers infinite recursion in the address parser...
CVE-2025-14874 Nodemailer: nodemailer: denial of service via crafted email address header
A flaw was found in Nodemailer. This vulnerability allows a denial of service DoS via a crafted email address header that triggers infinite recursion in the address parser...
CVE-2025-14874
A flaw was found in Nodemailer. This vulnerability allows a denial of service DoS via a crafted email address header that triggers infinite recursion in the address parser. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat...
Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references. Original Description A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient...
CVE-2025-13033
The CVE-2025-13033 entry concerns Nodemailer’s email parsing library. A flaw in handling specially formatted recipient addresses allows an attacker to craft a recipient that embeds an external address within quotes, causing misdirection of mail to the attacker’s external address rather than the i...
EUVD-2021-2533
Malware in sbrugna...
Linux Distros Unpatched Vulnerability : CVE-2020-7769
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport...
PT-2024-40224 · Unknown · Nodemailer
Name of the Vulnerable Software and Affected Versions: nodemailer affected versions not specified Description: A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the event loop to become stuck. Another flaw was found when nodemaile...
02112019lab6 (=1.0.0), 03-custom-tian (>=1.0.1 <=1.0.6) +10979 more potentially affected by CVE-2020-7769 via nodemailer (>=0.1.18 <=6.4.15)
nodemailer NPM version =0.1.18, =1.0.1, =1.0.0, =1.0.0, =0.2.9, =0.2.19 - 10er10 =0.23.0 - 123ac =1.0.8 - 123acyashu =1.0.8 - 123acyashuac =1.0.8 - 2fatang =1.0.0 and more Source cves: CVE-2020-7769 Source advisory: OSV:GHSA-48WW-J4FC-435P...
Command Injection
Overview nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to Command Injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. PoC...