Fluid Attacks Database

Description

Command injection in nodemailer This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	node-nodemailer	>=0 <6.4.16-1	6.4.16-1
npm	nodemailer	>=0 <6.4.16	6.4.16
debian 11	node-nodemailer	>=0 <6.4.16-1	6.4.16-1
debian 14	node-nodemailer	>=0 <6.4.16-1	6.4.16-1
debian 13	node-nodemailer	>=0 <6.4.16-1	6.4.16-1

Aliases

1. CVE-2020-77692. NVD-2020-77693. OSV-DEBIAN-2020-77694. OSV-2020-77695. GCVE-2020-77696. SECURITY-TRACKER-CVE-2020-7769

References

1. https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa542. https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js#L753. https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L754. https://www.npmjs.com/package/nodemailer