DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-C7W3-X93F-QMM8: GHSA-C7W3-X93F-QMM8: SMTP Command Injection in Nodemailer via CRLF Sequences

#security #cve #cybersecurity #ghsa

GHSA-C7W3-X93F-QMM8: SMTP Command Injection in Nodemailer via CRLF Sequences

Vulnerability ID: GHSA-C7W3-X93F-QMM8
CVSS Score: 9.8
Published: 2026-03-26

Nodemailer, a widely utilized Node.js package for email transmission, contains a critical input validation vulnerability. The software fails to sanitize the envelope.size parameter, permitting attackers to inject arbitrary SMTP commands via CRLF sequences. This flaw facilitates unauthorized email distribution, bypassing of application-level recipient controls, and internal SMTP reconnaissance.

TL;DR

A critical vulnerability in Nodemailer allows for SMTP command injection. Attackers controlling the envelope.size parameter can append CRLF characters to inject unauthorized SMTP commands, leading to unauthorized email routing and potential spam distribution.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-93, CWE-150, CWE-20
  • Attack Vector: Network
  • Impact: SMTP Command Injection / Unauthorized Email Routing
  • Vulnerable Component: lib/smtp-connection/index.js (envelope.size handling)
  • Exploit Status: Proof-of-Concept
  • CISA KEV Status: Not Listed

Affected Systems

  • Nodemailer (npm package: nodemailer)
  • Nodemailer: < patched release (commit 2d7b9710e6) (Fixed in: Commit 2d7b9710e63555a1eb13d721296c51186d4b5651)

Code Analysis

Commit: 2d7b971

Fix SMTP command injection in envelope.size handling

-        if (this._envelope.size && this._supportedExtensions.includes('SIZE')) {
-            args.push('SIZE=' + this._envelope.size);
-        }
+        if (this._envelope.size && this._supportedExtensions.includes('SIZE')) {
+            const sizeValue = Number(this._envelope.size) || 0;
+            if (sizeValue > 0) {
+                args.push('SIZE=' + sizeValue);
+            }
+        }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Nodemailer to the patched version incorporating the fix commit.
  • Implement strict input validation and sanitization for all user-provided data passed to Nodemailer configuration objects.
  • Filter carriage return (\r) and line feed (\n) characters from any application inputs mapping to SMTP fields.

Remediation Steps:

  1. Identify all Node.js projects utilizing the nodemailer package.
  2. Update the nodemailer dependency via npm or yarn to the latest stable release containing commit 2d7b9710e63555a1eb13d721296c51186d4b5651.
  3. Review application source code to locate instances where user input directly influences the envelope parameter.
  4. Apply strict type checking (e.g., ensuring size is an integer) on application boundaries.

References

Read the full report for GHSA-C7W3-X93F-QMM8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)