AIKIDO-2026-627552
nodemailer is vulnerable to Server-side Request Forgery (SSRF)
71
High Risk
This Affects:
nodemailerTL;DR
nodemailer message-level raw option bypasses disableFileAccess and disableUrlAccess, allowing untrusted input to force the server to read arbitrary local files or fetch arbitrary URLs and send the returned bytes as the actual email content. An attacker who can control raw and the recipient address can exploit this to exfiltrate sensitive files such as .env, keys, or /proc/self/environ, or to perform full-response SSRF against internal services and cloud metadata endpoints, with the retrieved data delivered directly to an attacker-controlled mailbox. This defeats the library’s documented sandboxing controls for untrusted mail content and results in high-impact information disclosure across all transports.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
nodemailer is vulnerable to Server-side Request Forgery (SSRF) in versions 0.0.1 - 9.0.0.
How to fix this
Upgrade the nodemailer library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant