CVE-2021-23400
MEDIUMnodemailer < 6.6.1 - HTTP Header Injection via Address Object
Title source: llmDescription
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
References (4)
Core 4
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737
Third Party Advisory x_refsource_misc
https://github.com/nodemailer/nodemailer/issues/1289
Patch, Third Party Advisory x_refsource_misc
https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
Scores
CVSS v3
6.3
EPSS
0.0138
EPSS Percentile
68.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Details
CWE
CWE-74
Status
published
Products (2)
nodemailer/nodemailer
< 6.6.1
npm/nodemailer
0 - 6.6.1npm
Published
Jun 29, 2021
Tracked Since
Feb 18, 2026