Typescript Email Headers Forgery
Description
Detects potential email header forgery vulnerabilities when using AWS SES in Express.js applications. This occurs when user-controlled input can modify email headers in AWS SES sendEmail/sendRawEmail operations, which could allow attackers to spoof the sender address or inject malicious headers.
Detection Strategy
• Code must import both 'express' and '@aws-sdk/client-ses' modules
• Identifies calls to AWS SES sendEmail or sendRawEmail methods
• Checks if the first argument (email configuration) to these methods contains user-controllable input
• Reports a vulnerability if email headers or sender information can be manipulated by external input
Vulnerable code example
import { SESClient, SendEmailCommand } from "@aws-sdk/client-ses";
const ses = new SESClient({ region: "us-east-1" });
// Vulnerable: User input directly used in email headers
function sendEmail(userSubject, userEmail) {
const command = new SendEmailCommand({
Destination: {...✅ Secure code example
import { SESClient, SendEmailCommand } from "@aws-sdk/client-ses";
const ses = new SESClient({ region: "us-east-1" });
function sendEmail(userSubject, userEmail) {
// Validate email format and domain allowlist
if (!/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(userEmail)) {
throw new Error("Invalid email format");...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.