AIKIDO-2026-10419
postal-mime is vulnerable to Improper Input Validation
53
Medium Risk
This Affects:
postal-mimeTL;DR
Affected versions of this package allowed RFC 2047 encoded-word input to be misinterpreted as a valid email address during parser re-processing, letting bare decoded text like test@evil.co be accepted as an address instead of only as a display name. An attacker could exploit this by crafting encoded email header values that bypass expected address formatting rules, potentially injecting or spoofing recipient/sender addresses in systems that trust the parser’s output. The fix restricts re-parsing to properly delimited addresses in angle brackets, preventing fabricated bare-address decoding from being treated as legitimate mailbox data.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
postal-mime is vulnerable to Improper Input Validation in versions 1.0.1 - 2.7.3.
How to fix this
Upgrade the postal-mime library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant