ROOT-APP-NPM-CVE-2025-14874 CVE-2025-14874 in @rootio/nodemailer - Patched by Root

Root has patched CVE-2025-14874 in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

CVE-2026-38728

An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...

CVE-2026-38728

An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...

CVE-2026-38728

The vulnerability CVE-2026-38728 affects Nodemailer smtp_server prior to version 3.18.3. The issue is triggered in the SMTPStream._write implementation (lib/smtp-stream.js), allowing a remote attacker to cause a denial of service. Impact is a DoS on the SMTP server component mentioned. The root c...

PT-2026-41303

An issue in Nodemailer smtp server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream. write, lib/smtp-stream.js components...

CVE-2026-38728

An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...

EUVD-2026-30546

An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...

CVE-2026-38728

An issue in Nodemailer smtpserver before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream.write, lib/smtp-stream.js components...

ROOT-APP-NPM-GHSA-VVJJ-XCJG-GR5G GHSA-vvjj-xcjg-gr5g in @rootio/nodemailer - Patched by Root

Root has patched GHSA-vvjj-xcjg-gr5g in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2025-13033 CVE-2025-13033 in @rootio/nodemailer - Patched by Root

Root has patched CVE-2025-13033 in the @rootio/nodemailer package for Root:npm. Multiple fixed versions available...

GHSA-VVJJ-XCJG-GR5G Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)

Summary Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters \r\n. A...

CRLF Injection

Overview nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to CRLF Injection via the name configuration configuration option. An attacker can inject arbitrary SMTP commands by supplying carriage return and line feed...

@bitblit/ratchet-aws-node-only (>=6.1.196-alpha <=6.1.200-alpha), @bitblit/ratchet-epsilon-common (>=6.1.196-alpha <=6.1.200-alpha) +73 more potentially affected by unknown CVE via nodemailer (>=8.0.0 <=8.0.4)

nodemailer NPM version =8.0.0, =6.1.196-alpha, =6.1.196-alpha, =6.1.196-alpha, =0.0.1, =3.35.0, =4.0.0-canary.13686, =4.0.0-canary.13686, =5.0.10, =2.0.0-alpha.59, =0.0.1-beta.0, =1.9.5, =0.2.0-alpha.1, =6.0.0-beta.8, =6.0.0-beta.9, =6.0.0-beta.14 and more Source cves: unknown CVE Source advisory...

CRLF Injection

Overview org.webjars.npm:nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to CRLF Injection via the name configuration configuration option. An attacker can inject arbitrary SMTP commands by supplying carriage return and...

Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)

Summary Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters \r\n. A...

0.extends.fc (=1.0.65), 0.extends.react (=1.0.51) +12020 more potentially affected by unknown CVE via nodemailer (>=0.1.18 <=8.0.3)

nodemailer NPM version =0.1.18, =1.0.49, =1.0.1, =1.0.0, =1.0.0, =0.2.9, =0.2.19 - 10er10 =0.23.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-C7W3-X93F-QMM8...

CRLF Injection

Overview nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to CRLF Injection via the envelope.size parameter in the sendMail function. An attacker can inject arbitrary SMTP commands by supplying CRLF characters in the size...

CRLF Injection

Overview org.webjars.npm:nodemailer is an Easy as cake e-mail sending from your Node.js applications Affected versions of this package are vulnerable to CRLF Injection via the envelope.size parameter in the sendMail function. An attacker can inject arbitrary SMTP commands by supplying CRLF...

GHSA-C7W3-X93F-QMM8 Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter

Summary When a custom envelope object is passed to sendMail with a size property containing CRLF characters \r\n, the value is concatenated directly into the SMTP MAIL FROM command without sanitization. This allows injection of arbitrary SMTP commands, including RCPT TO — silently adding...

@darraghor/nest-backend-libs (>=5.0.10 <=5.0.11), @flink-app/inbound-email-plugin (>=2.0.0-alpha.59 <=2.0.0-alpha.95) +53 more potentially affected by unknown CVE via nodemailer (>=8.0.0 <=8.0.3)

nodemailer NPM version =8.0.0, =5.0.10, =2.0.0-alpha.59, =0.0.1-beta.0, =1.9.5, =0.2.0-alpha.1, =6.0.0-beta.9, =11.14.0, =5.8.38, =2.9.4-beta.9766, =0.1.10, =1.11.4, =2.1.8, =1.0.120, =1.14.24 and more Source cves: unknown CVE Source advisory: SNYK:JS-NODEMAILER-15790064...