Description

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Remediation

References

https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737

https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f

https://github.com/nodemailer/nodemailer/issues/1289

Related Vulnerabilities

CVE-2020-7720 Vulnerability in maven package org.webjars.npm:node-forge

CVE-2023-42276 Vulnerability in maven package cn.hutool:hutool-json

CVE-2020-28502 Vulnerability in maven package org.webjars.npm:xmlhttprequest-ssl

CVE-2021-21290 Vulnerability in maven package io.netty:netty-testsuite

CVE-2020-15999 Vulnerability in npm package electron

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Exploit Patch Third Party Advisory