MEDIUM 6.3

GHSA-hwqf-gcqm-7353

Header injection in nodemailer

Details

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / nodemailer

Introduced in: 0 Fixed in: 6.6.1

Fix npm install nodemailer@6.6.1

References

https://nvd.nist.gov/vuln/detail/CVE-2021-23400 [ADVISORY]
https://github.com/nodemailer/nodemailer/issues/1289 [WEB]
https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f [WEB]
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737 [WEB]
https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415 [WEB]