GHSA-vvjj-xcjg-gr5g
SMTP Command Injection vulnerability in nodemailer (npm)
What is GHSA-vvjj-xcjg-gr5g About?
Nodemailer versions up to 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport 'name' option. This allows attackers to inject arbitrary SMTP commands, leading to unauthorized email sending, spoofing, and phishing. Exploitation is easy if the attacker can influence the 'name' configuration.
Affected Software
Technical Details
The vulnerability in Nodemailer stems from a lack of sanitization for carriage return (\r) and line feed (\n) characters in the name configuration option of the SMTP transport. When an SMTP connection is established, the name value is directly concatenated into the EHLO/HELO SMTP command without any filtering for CRLF sequences. The _sendCommand method then writes this unsanitized string directly to the socket. If an attacker can inject \r\n into the name option, these characters will terminate the EHLO/HELO command prematurely, allowing the attacker to inject arbitrary subsequent SMTP commands. This occurs at the connection initialization stage, often before authentication, making it particularly potent.
What is the Impact of GHSA-vvjj-xcjg-gr5g?
Successful exploitation may allow attackers to send unauthorized emails, spoof email senders, conduct phishing attacks, bypass application-level controls on email recipients, and perform SMTP reconnaissance. This can lead to reputational damage, financial loss, or compromise of user accounts.
What is the Exploitability of GHSA-vvjj-xcjg-gr5g?
Exploitation requires the attacker to influence or control the name configuration option of the Nodemailer SMTP transport. This typically involves cases where the name option is sourced from user input, environment variables, or mutable database settings. The complexity is low, as it primarily involves injecting CRLF sequences into the name string. No prior authentication to the SMTP server is required for the initial injection, as it occurs during the EHLO/HELO command, often before authentication. No specific privilege is needed beyond the ability to set the name option. The attack is remote, targeting the application's email sending functionality. The main constraints are the application's configuration and how it handles the name parameter. Risk factors are significantly increased in multi-tenant environments or admin panels where users can configure SMTP settings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-vvjj-xcjg-gr5g?
Available Upgrade Options
- nodemailer
- <8.0.5 → Upgrade to 8.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-vvjj-xcjg-gr5g
- https://github.com/nodemailer/nodemailer
- https://github.com/nodemailer/nodemailer/commit/0a43876801a420ca528f492eaa01bfc421cc306e
- https://github.com/nodemailer/nodemailer/releases/tag/v8.0.5
- https://github.com/nodemailer/nodemailer/security/advisories/GHSA-vvjj-xcjg-gr5g
What are Similar Vulnerabilities to GHSA-vvjj-xcjg-gr5g?
Similar Vulnerabilities: CVE-2023-43646 , CVE-2023-38408 , CVE-2023-38407 , CVE-2023-28155 , GHSA-c7w3-x93f-qmm8
