CRITICAL 9.8
GHSA-48ww-j4fc-435p
Command injection in nodemailer
Details
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-7769 [ADVISORY]
- https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54 [WEB]
- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js#L75 [WEB]
- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75 [WEB]
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742 [WEB]
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834 [WEB]
- https://www.npmjs.com/package/nodemailer [WEB]