zbateson/mail-mime-parser is vulnerable to CRLF Injection
72
High Risk
The library interpolates attachment filenames into Content-Type and Content-Disposition header values without removing carriage-return and line-feed characters. A filename containing \r\n, which can arrive directly from parsed inbound mail via an RFC 2231 filename*= parameter or a base64/quoted-printable RFC 2047 encoded word, serializes as additional attacker-controlled header lines such as a forged Bcc. This lets an attacker inject arbitrary MIME headers when an application builds or forwards a message using an untrusted filename returned by getFilename(). The fix strips CR/LF and control characters from decoded MIME token and parameter values and from attachment filenames before they are written into headers.
You are affected if you are using a version that falls within the vulnerable range.
zbateson/mail-mime-parser is vulnerable to CRLF Injection in versions 0.0.1 - 3.0.5 and 4.0.0 - 4.0.1.
Upgrade the zbateson/mail-mime-parser library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant