nodemailer is vulnerable to CRLF Injection
38
Low Risk
The HTTP proxy client writes the destination host and port straight into the CONNECT request line and the Host header without neutralizing CR or LF characters. When an application routes SMTP through an HTTP proxy and the destination host or port is attacker-influenced, embedded CRLF sequences inject additional headers into the proxy request, enabling HTTP request splitting. The same code path also buffers the proxy CONNECT response headers without a size limit, so a proxy that never terminates the header block can grow process memory until the socket times out. The fix rejects CRLF in the destination host, coerces the port to a number, and caps the buffered CONNECT response headers at 64KB.
You are affected if you are using a version that falls within the vulnerable range and route SMTP connections through an HTTP proxy.
nodemailer is vulnerable to CRLF Injection in versions 3.0.0 - 9.0.1.
Upgrade the nodemailer library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant