Moole Vulnerability Database

Find real vulnerabilities before they ship

High

CVE-2021-23400

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

VectorNETWORK

PublishedJun 29, 2021, 12:15

Published Byreport@snyk.io

Base Score

Score8.8

Affected Versions

Package (Ecosystem)IntroducedFixedLimit

nodemailer(npm)06.6.1N/A

References

https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
https://github.com/nodemailer/nodemailer/issues/1289
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737
https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415

Weakness Type

CWE-74

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base SeverityHigh

Version

3.1

Attack Vector (AV)

NETWORK