GHSA-VVJJ-XCJG-GR5G: SMTP Command Injection via CRLF in Nodemailer
Vulnerability ID: GHSA-VVJJ-XCJG-GR5G
CVSS Score: 4.9
Published: 2026-04-08
Nodemailer versions up to 8.0.4 contain an SMTP command injection vulnerability due to improper neutralization of CRLF sequences in the transport name configuration. This allows attackers to inject arbitrary SMTP commands into the initial handshake.
TL;DR
A CRLF injection flaw in Nodemailer's connection logic allows attackers to execute arbitrary SMTP commands during the EHLO/HELO handshake, enabling email spoofing and phishing. Fixed in version 8.0.5.
⚠️ Exploit Status: POC
Technical Details
- Vulnerability Type: CRLF Injection (Command Injection)
- CWE ID: CWE-93
- Attack Vector: Network
- CVSS Score: 4.9
- Impact: Integrity (Email Spoofing, Phishing Relays)
- Exploit Status: PoC Available
Affected Systems
- Node.js applications using Nodemailer for SMTP transport
- Multi-tenant SaaS platforms providing custom SMTP integrations
-
nodemailer: <= 8.0.4 (Fixed in:
8.0.5)
Code Analysis
Commit: 0a43876
Fix CRLF injection in name parameter by stripping line breaks.
Mitigation Strategies
- Upgrade Nodemailer dependency to version 8.0.5 or later.
- Implement strict input validation for user-supplied SMTP configuration fields, specifically the
nameparameter. - Filter out any carriage return (\r) and line feed (\n) characters from application configurations before passing them to the transport module.
Remediation Steps:
- Identify all projects and services utilizing the
nodemailerpackage. - Update the
package.jsonfile to requirenodemailerversion>=8.0.5. - Execute package manager updates (e.g.,
npm install,yarn upgrade) to pull the patched dependency. - Verify the installed version via
npm ls nodemailer. - Audit application logic to locate any instances where user input populates SMTP configuration objects.
References
Read the full report for GHSA-VVJJ-XCJG-GR5G on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)