SB2026040859 - CRLF injection in nodemailer
Published: April 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) CRLF injection (CVE-ID: N/A)
CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject arbitrary SMTP commands.
The vulnerability exists due to improper neutralization of CRLF sequences in the transport name option in lib/smtp-connection/index.js when constructing EHLO, HELO, or LHLO commands. A remote privileged user can supply a specially crafted name value containing CRLF sequences to inject arbitrary SMTP commands.
The issue occurs during SMTP connection initialization before the application's intended message commands are processed.
Remediation
Install update from vendor's website.