GHSA-C7W3-X93F-QMM8: SMTP Command Injection in Nodemailer via CRLF Sequences

Nodemailer operates as a fundamental routing library for Node.js applications requiring electronic mail transmission capabilities. The software interfaces directly with upstream SMTP servers to negotiate message delivery, handling protocol-level commands on behalf of the application. GHSA-C7W3-X93F-QMM8 identifies a critical input validation flaw within the core SMTP connection handler.

The vulnerability allows threat actors to perform SMTP command injection via improper neutralization of CRLF sequences. This class of flaw, categorized under CWE-93, occurs when an application accepts untrusted input containing carriage return and line feed characters without appropriate sanitization. Because SMTP relies on these specific control characters to delineate commands, unsanitized input directly compromises the integrity of the protocol stream.

Applications become vulnerable when they expose the Nodemailer envelope configuration to external input. Threat actors exploit this pathway to append unauthorized commands to the active SMTP session. The resulting exploitation enables actions fundamentally outside the intended design of the vulnerable application, including sending unauthenticated spam or conducting localized reconnaissance.

The vulnerability originates in the lib/smtp-connection/index.js module during the construction of the MAIL FROM command sequence. When an upstream SMTP server advertises support for the SIZE extension (defined in RFC 1870), Nodemailer automatically appends the declared message size to the sender address declaration. The software extracts this size value directly from the user-provided envelope.size property.

The core failure lies in the implementation utilizing direct string concatenation without prior type validation or sanitization. The vulnerable codebase executes args.push('SIZE=' + this._envelope.size). Because the size variable accepts arbitrary strings, it can contain the carriage return and line feed characters (\r\n) required to terminate an SMTP command.

When Nodemailer transmits the concatenated string, the receiving SMTP server processes the injected CRLF sequence as the definitive end of the MAIL FROM transmission. The server immediately interprets any subsequent characters in the string as an entirely new, distinct SMTP command. This structural failure breaks the assumed boundary between application data and protocol control instructions.

The patch resolves the vulnerability by strictly enforcing data types on the envelope.size parameter. The developers replaced the direct string concatenation with a robust type coercion mechanism. The patched implementation passes the input through the standard JavaScript Number() function before evaluation.

// Vulnerable Implementation
if (this._envelope.size && this._supportedExtensions.includes('SIZE')) {
    args.push('SIZE=' + this._envelope.size);
}

The original code merely checked for the truthiness of this._envelope.size. Any non-empty string, including an injection payload, satisfied this condition and entered the command stream. The updated logic forces the input into a numeric context.

// Patched Implementation
if (this._envelope.size && this._supportedExtensions.includes('SIZE')) {
    const sizeValue = Number(this._envelope.size) || 0;
    if (sizeValue > 0) {
        args.push('SIZE=' + sizeValue);
    }
}

If an attacker submits a payload containing command injection sequences such as 100\r\nRCPT TO:<evil@example.com>, the Number() coercion evaluates the entire string. Because the string contains non-numeric characters, the evaluation strictly returns NaN (Not-a-Number). The subsequent logical OR operation (|| 0) defaults the result to zero. Finally, the conditional check if (sizeValue > 0) fails, preventing the system from appending the malformed SIZE extension entirely.

Attackers exploit this vulnerability by manipulating application inputs that map directly to the Nodemailer envelope configuration. The primary prerequisite involves locating an application endpoint that accepts arbitrary values for the size parameter and passes them unvalidated to the send() function. This typically manifests in custom mailer integrations or APIs designed to handle complex email routing.

The attacker constructs a targeted payload consisting of a valid integer, a CRLF sequence, and a secondary SMTP command. A standard payload takes the form of 100\r\nRCPT TO:<injected@evil.com>. When the application processes this input, the Nodemailer client transmits a fragmented command string to the upstream mail server.

The receiving SMTP server processes the first segment (MAIL FROM:<legit@app.com> SIZE=100) as a complete, syntactically valid command. It then interprets the subsequent line (RCPT TO:<hacker@evil.com>) as a distinct command originating from the authenticated client. This execution flow entirely bypasses any recipient limitations enforced by the Node.js application layer.

Successful exploitation grants an attacker arbitrary command execution within the context of the established SMTP session. The most direct consequence involves unauthorized email distribution. Threat actors utilize the application's authenticated, trusted SMTP session to originate spam or targeted phishing campaigns, effectively laundering their attacks through the victim's infrastructure.

By injecting supplementary RCPT TO commands, attackers bypass application-level recipient restrictions. Applications designed to send password resets or notifications strictly to registered users can be coerced into delivering those sensitive communications to external, attacker-controlled addresses. This facilitates data exfiltration and account takeover scenarios depending on the email content.

Furthermore, attackers utilize this vector to conduct internal reconnaissance against the SMTP infrastructure. Threat actors can inject commands such as VRFY or EXPN to enumerate internal mailing lists and user accounts. If the SMTP server possesses access to isolated network segments, the vulnerability serves as a pivot point for broader infrastructure mapping.

System administrators and developers must upgrade the nodemailer package to a release incorporating commit 2d7b9710e63555a1eb13d721296c51186d4b5651. This update ensures the library natively coerces the size parameter into a safe numeric format, neutralizing the injection vector at the library level. Organizations should verify their dependency trees to ensure secondary packages utilizing Nodemailer are similarly updated.

As a crucial defense-in-depth measure, applications should implement strict input validation on all user-supplied data destined for the mail envelope. Developers must ensure that all SMTP parameters, including from, to, and size, strictly reject inputs containing carriage return (\r) or line feed (\n) characters. Relying solely on downstream libraries for protocol sanitization violates core secure design principles.

Security operations teams should monitor upstream SMTP server logs for anomalous command sequences. Specifically, defenders should baseline typical application behavior and alert on sessions generating multiple, unexpected MAIL FROM or RCPT TO commands in rapid succession. High volumes of rejected commands within a single authenticated session often indicate active exploitation attempts against this protocol layer.