Nodemailer: >> Nodemailer >> 0.3.25 Security Vulnerabilities
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-12-18
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
CVSS Score
6.3
EPSS Score
0.005
Published
2021-06-29
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
CVSS Score
8.6
EPSS Score
0.005
Published
2020-11-12