Fluid Attacks Database

Description

Header injection in nodemailer The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-nodemailer	>=0 <6.4.17-3	6.4.17-3
debian 14	node-nodemailer	>=0 <6.4.17-3	6.4.17-3
npm	nodemailer	>=0 <6.6.1	6.6.1
debian 13	node-nodemailer	>=0 <6.4.17-3	6.4.17-3
debian 12	node-nodemailer	>=0 <6.4.17-3	6.4.17-3

Aliases

1. CVE-2021-234002. NVD-2021-234003. OSV-DEBIAN-2021-234004. OSV-2021-234005. GCVE-2021-234006. SECURITY-TRACKER-CVE-2021-23400

References

1. https://github.com/nodemailer/nodemailer/issues/12892. https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f