CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-VVJJ-XCJG-GR5G

GHSA-VVJJ-XCJG-GR5G: SMTP Command Injection via CRLF in Nodemailer

Amit Schendel
Amit Schendel
Senior Security Researcher

Apr 8, 2026·5 min read·27 visits

Executive Summary (TL;DR)

A CRLF injection flaw in Nodemailer's connection logic allows attackers to execute arbitrary SMTP commands during the EHLO/HELO handshake, enabling email spoofing and phishing. Fixed in version 8.0.5.

Nodemailer versions up to 8.0.4 contain an SMTP command injection vulnerability due to improper neutralization of CRLF sequences in the transport name configuration. This allows attackers to inject arbitrary SMTP commands into the initial handshake.

Vulnerability Overview

Nodemailer is a widely deployed Node.js module used for sending emails. Versions 8.0.4 and earlier contain a vulnerability in the handling of the transport name configuration option. This option identifies the client to the SMTP server during the initial handshake phase.

The vulnerability is classified as CWE-93, Improper Neutralization of CRLF Sequences. An attacker who controls the name parameter can inject arbitrary SMTP commands into the connection stream. The vulnerability manifests during the ESMTP and SMTP connection phases.

The impact relies on the application exposing the SMTP transport configuration to untrusted input. Once exploited, the vulnerability allows the attacker to silently prepend raw protocol commands to the application's legitimate SMTP session.

Root Cause Analysis

The root cause resides in the lib/smtp-connection/index.js file. During connection initialization, the library assigns the name property directly from the user-provided configuration object or a default hostname helper. The library does not strip or sanitize carriage return and line feed (CRLF) characters from this value.

When establishing the session, the library constructs handshake commands by concatenating the command verb with the unsanitized name property. The _sendCommand internal method appends a terminating CRLF sequence and writes the buffer to the socket. Because the application logic does not neutralize internal CRLF sequences, the SMTP server processes the injected line breaks as command delimiters.

The unsanitized parameter propagates into the EHLO, HELO, and LHLO commands. Handshakes often repeat after a STARTTLS secure connection is established, making this parameter a persistent injection vector throughout the session lifecycle.

Code Analysis

The vulnerability is evident in the assignment logic for the connection identifier. The vulnerable implementation reads the name property without prior validation or sanitization.

// Vulnerable Implementation (lib/smtp-connection/index.js)
this.name = this.options.name || this._getHostname();

The patch introduced in commit 0a43876801a420ca528f492eaa01bfc421cc306e mitigates this issue by enforcing a strict sanitization step. The developers utilized a regular expression to strip all carriage return and line feed characters during assignment.

// Patched Implementation (lib/smtp-connection/index.js)
this.name = (this.options.name || this._getHostname()).toString().replace(/[\r\n]+/g, '');

This fix ensures that regardless of the input provided to the transport configuration, the resulting name property remains a single logical string. The SMTP protocol relies strictly on CRLF sequences for command termination. Stripping these characters entirely removes the vector for command injection, neutralizing the threat.

Exploitation

Exploitation requires the attacker to control the name property within the SMTP transport configuration. This prerequisite restricts the attack surface primarily to multi-tenant SaaS platforms, administrative panels, or environments where configuration variables are dynamically populated from untrusted sources. Once the configuration is controlled, the attacker crafts a payload containing malicious SMTP commands separated by \r\n sequences.

const transport = nodemailer.createTransport({
    host: 'smtp.target-server.com',
    port: 25,
    secure: false,
    name: 'legit.host\r\nMAIL FROM:<attacker@evil.com>\r\n'
        + 'RCPT TO:<victim@target.com>\r\nDATA\r\n'
        + 'From: ceo@company.com\r\nTo: victim@target.com\r\n'
        + 'Subject: Urgent\r\n\r\nPhishing content\r\n.\r\nRSET'
});

When the application attempts to send an email, the injected sequence executes before the legitimate payload. The EHLO command is effectively terminated early, and the subsequent MAIL FROM, RCPT TO, and DATA commands are processed by the receiving server. The attacker concludes their payload with the RSET command or a similar terminator to discard the application's appended legitimate commands.

Impact Assessment

The primary impact of this vulnerability is unauthorized email transmission and sender spoofing. By injecting raw SMTP commands, an attacker bypasses the application's intended restrictions on recipient addresses and message content. The attacker leverages the legitimate application's authorized SMTP relay to distribute malicious content.

This attack mechanism allows the threat actor to bypass domain reputation checks, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) protections associated with the relay. The receiving servers interpret the emails as originating from the compromised application's infrastructure.

The CVSS v3.1 score for this vulnerability is 4.9. The score reflects a Moderate severity due to the high privileges required (PR:H) to influence the application's internal SMTP configuration. The confidentiality and availability metrics remain unaffected (C:N, A:N), while the integrity impact is high (I:H) due to the complete control over the emitted network stream.

Remediation

The vulnerability is fully resolved in Nodemailer version 8.0.5. Organizations utilizing Nodemailer must upgrade their dependencies to this version or later to ensure the name parameter is correctly sanitized. No configuration changes are required to activate the patch.

If immediate patching is not feasible, developers must implement strict input validation on any user-supplied data used in the SMTP transport configuration. The validation logic must reject any string containing carriage return (\x0d) or line feed (\x0a) characters. The application should enforce a strict allowlist of characters for the hostname parameter, limited to alphanumeric characters, hyphens, and periods.

Security teams should monitor outbound SMTP traffic for unusual patterns. Multiple command sequences transmitted in a single packet during the EHLO or HELO phases serve as an indicator of attempted command injection. WAF and network inspection tools can alert on consecutive SMTP commands found inside initial handshake sequences.

Official Patches

NodemailerVersion 8.0.5 Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score
4.9/ 10
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Affected Systems

Node.js applications using Nodemailer for SMTP transportMulti-tenant SaaS platforms providing custom SMTP integrations

Affected Versions Detail

Product
Affected Versions
Fixed Version
nodemailer
Nodemailer
<= 8.0.48.0.5
AttributeDetail
Vulnerability TypeCRLF Injection (Command Injection)
CWE IDCWE-93
Attack VectorNetwork
CVSS Score4.9
ImpactIntegrity (Email Spoofing, Phishing Relays)
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1566Phishing
Initial Access
CWE-93
Improper Neutralization of CRLF Sequences

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Vulnerability Timeline

Fix committed to Nodemailer repository
2026-04-07
GitHub Advisory GHSA-VVJJ-XCJG-GR5G published
2026-04-08
Nodemailer version 8.0.5 released
2026-04-08

References & Sources

  • [1]GitHub Advisory GHSA-VVJJ-XCJG-GR5G
  • [2]Nodemailer Fix Commit
  • [3]Nodemailer v8.0.5 Release Notes

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•1 minute ago•GHSA-F66Q-9RF6-8795
5.3

GHSA-f66q-9rf6-8795: WebAuthn Re-authentication Freshness Bypass in Flask-Security-Too

An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.

Amit Schendel
Amit Schendel
0 views•5 min read
•30 minutes ago•CVE-2026-50127
5.9

CVE-2026-50127: Server-Side Request Forgery Bypass via IPv6 Transition Prefixes in Weblate

A Server-Side Request Forgery (SSRF) vulnerability exists in Weblate's private address validator when the VCS_RESTRICT_PRIVATE setting is enabled. By exploiting IPv6 transition mechanisms, such as NAT64, 6to4, or IPv4-compatible configurations, an attacker can bypass private network boundaries and access internal services.

Alon Barad
Alon Barad
2 views•6 min read
•about 1 hour ago•GHSA-P2FR-6HMX-4528
6.4

GHSA-p2fr-6hmx-4528: Unbound Resource Indicators Allow Cross-Audience Access Token Escalation in @better-auth/oauth-provider

A security vulnerability in @better-auth/oauth-provider allows OAuth clients to obtain access tokens for unauthorized audiences due to unbound resource indicators. The implementation fails to bind the requested target resource to the initial authorization grant. Consequently, a client can request an access token targeting any resource server within the global allowlist, bypassing user consent boundaries.

Alon Barad
Alon Barad
3 views•6 min read
•about 1 hour ago•GHSA-86J7-9J95-VPQJ
8.8

GHSA-86J7-9J95-VPQJ: Stored Cross-Site Scripting in Better Auth Plugins via Malicious Redirect URIs

A stored cross-site scripting vulnerability exists in the oidc-provider and mcp plugins of Better Auth. Attackers can register malicious clients with javascript: redirect URIs, leading to origin takeover when users authorize the client.

Amit Schendel
Amit Schendel
5 views•5 min read
•about 2 hours ago•GHSA-9H47-PQCX-HJR4
9.8

GHSA-9H47-PQCX-HJR4: Insecure Cryptographic Defaults in Better Auth OIDC Provider

The Better Auth framework's OIDC provider implementation (oidcProvider) contained insecure cryptographic defaults before version 1.6.11. It advertised the insecure alg=none signing algorithm and accepted plain PKCE challenges by default, leaving downstream clients vulnerable to token signature bypasses and authorization code interception attacks.

Alon Barad
Alon Barad
4 views•6 min read
•about 3 hours ago•GHSA-2VG6-77G8-24MP
3.8

GHSA-2vg6-77g8-24mp: Insufficient Session Expiration via Incomplete Cleanup in Better Auth Ecosystem

A critical session persistence vulnerability exists within the Better Auth framework when configured to use external secondary storage (such as Redis or Cloudflare KV) with default database options. Due to four incomplete user-deletion code paths, active user sessions are not evicted from secondary storage caches during deletion events. As a result, deleted users retain full system access via their pre-existing session cookies until the Session Time-To-Live (TTL) expires.

Amit Schendel
Amit Schendel
4 views•5 min read