GHSA-hwqf-gcqm-7353
HTTP Header Injection vulnerability in nodemailer (npm)
What is GHSA-hwqf-gcqm-7353 About?
This HTTP header injection vulnerability affects the 'nodemailer' package before 6.6.1, allowing attackers to inject arbitrary HTTP headers. This occurs if unsanitized user input containing newlines and carriage returns is used within an address object. The impact can range from email spoofing to more severe attacks depending on the context. Exploitation requires the injection of specific characters into sensitive input fields.
Affected Software
Technical Details
The 'nodemailer' package, specifically versions prior to 6.6.1, is vulnerable to HTTP Header Injection. This flaw exists when unsanitized user-supplied input, containing newline (\n) and carriage return (\r) characters, is passed into an address object (e.g., in the 'To', 'From', 'Cc', 'Bcc' fields). The presence of these characters allows an attacker to terminate existing email headers and inject arbitrary new headers. This can lead to various consequences such as email spoofing (changing the sender or receiver), altering email properties, or in some contexts, potentially launching more complex attacks like cross-site scripting if the injected headers are reflected elsewhere. The attack vector involves submitting malicious input to an application that constructs email messages using 'nodemailer' without proper input sanitization.
What is the Impact of GHSA-hwqf-gcqm-7353?
Successful exploitation may allow attackers to inject arbitrary HTTP headers, leading to email spoofing, manipulation of email properties, or other header-related attacks.
What is the Exploitability of GHSA-hwqf-gcqm-7353?
Exploitation of this HTTP Header Injection vulnerability is of moderate complexity. It typically requires no authentication if the application accepts user input for email addresses without prior authentication. No specific privileges are required. The attack is remote, as it involves submitting malicious data through a web form or API endpoint. The critical precondition is that the application uses a vulnerable version of 'nodemailer' and incorporates unsanitized user-supplied input (which may contain newline or carriage return characters) directly into an address object. The likelihood of exploitation is significantly increased in applications that process email addresses or names from untrusted sources without performing robust input validation and sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-hwqf-gcqm-7353?
About the Fix from Resolved Security
The patch enhances address sanitization by stripping control characters, newlines, and angle brackets from email addresses, and ensures addresses are properly quoted if containing spaces. This prevents header injection by neutralizing payloads that exploit email address fields to inject additional headers or malicious content. Thus, it effectively mitigates the header injection vulnerability described in CVE-2021-23400.
Available Upgrade Options
- nodemailer
- <6.6.1 → Upgrade to 6.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/nodemailer/nodemailer/issues/1289
- https://github.com/nodemailer/nodemailer/issues/1289
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737
- https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
- https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
- https://osv.dev/vulnerability/GHSA-hwqf-gcqm-7353
- https://nvd.nist.gov/vuln/detail/CVE-2021-23400
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
What are Similar Vulnerabilities to GHSA-hwqf-gcqm-7353?
Similar Vulnerabilities: CVE-2022-24765 , CVE-2021-29474 , CVE-2020-13778 , CVE-2020-11003 , CVE-2019-10746
