Intel

AIKIDO-2026-615133

nodemailer is vulnerable to CRLF Injection

CRLF Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

38

Low Risk

This Affects:

JSnodemailer
3.0.0 - 9.0.1
Fixed in 9.0.2
Are you affected? Scan for Free

TL;DR

The HTTP proxy client writes the destination host and port straight into the CONNECT request line and the Host header without neutralizing CR or LF characters. When an application routes SMTP through an HTTP proxy and the destination host or port is attacker-influenced, embedded CRLF sequences inject additional headers into the proxy request, enabling HTTP request splitting. The same code path also buffers the proxy CONNECT response headers without a size limit, so a proxy that never terminates the header block can grow process memory until the socket times out. The fix rejects CRLF in the destination host, coerces the port to a number, and caps the buffered CONNECT response headers at 64KB.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and route SMTP connections through an HTTP proxy.

Background info

nodemailer is vulnerable to CRLF Injection in versions 3.0.0 - 9.0.1.

How to fix this

Upgrade the nodemailer library to the patch version.