Lucene search
K

13 matches found

Github Security Blog
Github Security Blog
added 2026/04/08 3:5 p.m.21 views

Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)

Summary Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters \r\n. A...

6AI score
Exploits0References4Affected Software1
vulnersOsv
vulnersOsv
added 2026/04/08 3:5 p.m.11 views

06-03-5 (=1.0.0), 80cents (>=0.3.4 <=0.4.24) +2147 more potentially affected by unknown CVE via nodemailer (>=8.0.0 <=8.0.4)

nodemailer NPM version =8.0.0, =0.3.4, =0.1.0, =1.0.0, =1.16.0-feature-320605-mfchyhti, =1.0.1-develop-7a7ecd-mffcpgol, =2.0.0, =1.17.13-beta-20260512-004004-69bacba8, =0.1.0, =0.2.3 and more Source cves: unknown CVE Source advisory: SNYK:JS-NODEMAILER-15930946...

5.5AI score
Exploits0
OSV
OSV
added 2026/03/26 10:26 p.m.2 views

GHSA-C7W3-X93F-QMM8 Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter

Summary When a custom envelope object is passed to sendMail with a size property containing CRLF characters \r\n, the value is concatenated directly into the SMTP MAIL FROM command without sanitization. This allows injection of arbitrary SMTP commands, including RCPT TO — silently adding...

2.3CVSS6.1AI score
Exploits0References3
OSV
OSV
added 2025/12/18 9:15 a.m.5 views

UBUNTU-CVE-2025-14874

A flaw was found in Nodemailer. This vulnerability allows a denial of service DoS via a crafted email address header that triggers infinite recursion in the address parser...

7.5CVSS6.3AI score0.00409EPSS
Exploits1References7
Vulnrichment
Vulnrichment
added 2025/12/18 8:40 a.m.5 views

CVE-2025-14874 Nodemailer: nodemailer: denial of service via crafted email address header

A flaw was found in Nodemailer. This vulnerability allows a denial of service DoS via a crafted email address header that triggers infinite recursion in the address parser...

7.5CVSS6AI score0.00409EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/12/18 8:40 a.m.6 views

CVE-2025-14874

A flaw was found in Nodemailer. This vulnerability allows a denial of service DoS via a crafted email address header that triggers infinite recursion in the address parser. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat...

7.5CVSS5.9AI score0.00409EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2025/11/14 9:30 p.m.10 views

Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mm7p-fcc7-pg87. This link is maintained to preserve external references. Original Description A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient...

7.5CVSS6.2AI score0.00498EPSS
Exploits0References9Affected Software1
CVE
CVE
added 2025/11/14 7:37 p.m.33 views

CVE-2025-13033

The CVE-2025-13033 entry concerns Nodemailer’s email parsing library. A flaw in handling specially formatted recipient addresses allows an attacker to craft a recipient that embeds an external address within quotes, causing misdirection of mail to the attacker’s external address rather than the i...

7.5CVSS6.1AI score0.00498EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2021-2533

Malware in sbrugna...

8.8CVSS8.5AI score0.01381EPSS
Exploits1References6
Tenable Nessus
Tenable Nessus
added 2025/08/27 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2020-7769

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport...

9.8CVSS8.5AI score0.02316EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2024/01/31 12:0 a.m.5 views

PT-2024-40224 · Unknown · Nodemailer

Name of the Vulnerable Software and Affected Versions: nodemailer affected versions not specified Description: A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the event loop to become stuck. Another flaw was found when nodemaile...

5.3CVSS6.8AI score
Exploits0References6
vulnersOsv
vulnersOsv
added 2021/05/10 7:16 p.m.3 views

02112019lab6 (=1.0.0), 03-custom-tian (>=1.0.1 <=1.0.6) +10979 more potentially affected by CVE-2020-7769 via nodemailer (>=0.1.18 <=6.4.15)

nodemailer NPM version =0.1.18, =1.0.1, =1.0.0, =1.0.0, =0.2.9, =0.2.19 - 10er10 =0.23.0 - 123ac =1.0.8 - 123acyashu =1.0.8 - 123acyashuac =1.0.8 - 2fatang =1.0.0 and more Source cves: CVE-2020-7769 Source advisory: OSV:GHSA-48WW-J4FC-435P...

9.8CVSS7.7AI score0.02316EPSS
Exploits1
Snyk
Snyk
added 2020/11/11 1:17 p.m.3 views

Command Injection

Overview nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to Command Injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. PoC...

9.8CVSS7.5AI score0.02316EPSS
Exploits1References2
Rows per page
Query Builder