DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-268H-HP4C-CRQ3: GHSA-268h-hp4c-crq3: CRLF Injection via List-* Header Comments in Nodemailer

#security #cve #cybersecurity #ghsa

GHSA-268h-hp4c-crq3: CRLF Injection via List-* Header Comments in Nodemailer

Vulnerability ID: GHSA-268H-HP4C-CRQ3
CVSS Score: 5.4
Published: 2026-06-15

GHSA-268h-hp4c-crq3 is a Carriage Return Line Feed (CRLF) injection vulnerability in the Nodemailer npm package affecting versions up to and including 8.0.8. The library allows arbitrary email header injection when parsing user-controlled comments within list headers (such as List-Unsubscribe or List-ID). This occurs because list headers bypass standard validation by utilizing an internal 'prepared' flag, causing unsanitized newlines to be emitted directly into the outgoing RFC822 mail stream. This exploit allows remote attackers to inject custom, unauthorized mail headers, disrupting signature checks, bypassing filters, or spoofing parameters.

TL;DR

A CRLF injection vulnerability in Nodemailer <= 8.0.8 allows remote attackers to inject arbitrary email headers by placing newline characters inside dynamic List-* header comments. This occurs because 'prepared' headers bypass Nodemailer's standard sanitization pipeline.

Technical Details

  • CWE ID: CWE-93
  • Attack Vector: Network (Remote)
  • CVSS Score: 5.4
  • Exploit Status: poc
  • Impact: Arbitrary Email Header Injection
  • Fixed Version: 8.0.9

Affected Systems

  • Applications running Nodemailer <= 8.0.8 utilizing dynamic List-* headers.
  • nodemailer: <= 8.0.8 (Fixed in: 8.0.9)

Mitigation Strategies

  • Upgrade Nodemailer to version 8.0.9 or later.
  • Implement input-validation filters to strip CR (\r) and LF (\n) from all list comment parameters before passing them to Nodemailer.
  • Configure Web Application Firewalls (WAF) to detect and block URL-encoded newlines in input forms.

Remediation Steps:

  1. Audit the package.json file to identify vulnerable installations of Nodemailer (versions <= 8.0.8).
  2. Update the dependency to version 8.0.9 using the command: npm install nodemailer@8.0.9 or npm update nodemailer.
  3. Identify all locations in the application source code where the list config object is dynamically defined using user input.
  4. Apply strict character filtering or regular expressions to remove newlines from comment and list string inputs.

References

Read the full report for GHSA-268H-HP4C-CRQ3 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)