CRLF injection in nodemailer - #VU125300
Published: April 8, 2026
Vulnerability identifier: #VU125300
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: nodemailer
Affected software:
nodemailer
nodemailer
Detailed vulnerability description
The vulnerability allows a remote user to inject arbitrary SMTP commands.
The vulnerability exists due to improper neutralization of CRLF sequences in the transport name option in lib/smtp-connection/index.js when constructing EHLO, HELO, or LHLO commands. A remote privileged user can supply a specially crafted name value containing CRLF sequences to inject arbitrary SMTP commands.
The issue occurs during SMTP connection initialization before the application's intended message commands are processed.
Remediation
Install security update from vendor's website.