Main Vulnerability Database Vulnerabilities #VU132359

Improper Certificate Validation in nodemailer - #VU132359

Published: May 27, 2026

Vulnerability identifier: #VU132359

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: nodemailer

Affected software:
nodemailer

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive OAuth credentials.

The vulnerability exists due to improper certificate validation in the internal HTTPS fetch client in lib/fetch/index.js when retrieving OAuth2 tokens over HTTPS. A remote attacker can perform a machine-in-the-middle attack using an invalid or self-signed certificate to disclose sensitive OAuth credentials.

The issue affects OAuth2 token requests and related outbound HTTPS requests that use the internal fetch implementation.

Remediation

Install security update from vendor's website.

Sources

https://github.com/nodemailer/nodemailer/security/advisories/GHSA-r7g4-qg5f-qqm2

Improper Certificate Validation in nodemailer - #VU132359

Detailed vulnerability description

Remediation

Sources

Please verify you're human