CVE-2021-23400 – nodemailer

Package

Manager: npm
Name: nodemailer
Vulnerable Version: >=0 <6.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00536 pctl0.66496

Details

Header injection in nodemailer The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Metadata

Created: 2021-12-10T18:56:57Z
Modified: 2021-06-30T17:38:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-hwqf-gcqm-7353/GHSA-hwqf-gcqm-7353.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-hwqf-gcqm-7353
Finding: F184
Auto approve: 1