GHSA-WQVQ-JVPQ-H66F: Security Control Bypass in Nodemailer via Transport Serialization
Vulnerability ID: GHSA-WQVQ-JVPQ-H66F
CVSS Score: 5.4
Published: 2026-06-15
Nodemailer prior to version 8.0.9 contains a security control bypass vulnerability. Transport-level configuration parameters designed to restrict local file system access and remote URL requests are not propagated to all content-resolution execution paths. This failure allows unauthorized local file inclusion and server-side request forgery when the application utilizes specific transports or processing flags.
TL;DR
Nodemailer's disableFileAccess and disableUrlAccess security flags are bypassed when using jsonTransport or the attachDataUrls feature, enabling unauthorized local file reads and server-side request forgery.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-610
- Attack Vector: Network
- CVSS Score: 5.4
- EPSS Score: 0.012
- Impact: Information Disclosure / Server-Side Request Forgery
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- Nodemailer npm package
-
nodemailer: < 8.0.9 (Fixed in:
8.0.9)
Exploit Details
- GitHub Security Advisory: Exploit details and mitigation strategy discussed in the official advisory.
Mitigation Strategies
- Upgrade Nodemailer to version 8.0.9 or higher to enforce proper validation logic.
- Apply recursive validation schema checks on all user-supplied mail configuration objects.
- Enforce network firewall rules restricting the mail-sending process from contacting internal IP spaces.
Remediation Steps:
- Run the command 'npm install nodemailer@8.0.9' to update the library to the patched version.
- Review the application codebase to identify occurrences of 'jsonTransport: true' or 'attachDataUrls: true'.
- Implement a pre-submission filter middleware to sanitize and reject arbitrary local paths or unexpected remote URLs.
References
Read the full report for GHSA-WQVQ-JVPQ-H66F on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)