Skip to content

Header injection vulnerability in address object #1289

Closed
@tmazeika

Description

@tmazeika

Please fill the following questionnaire about your issue:

  1. What kind of issue are you reporting?
  • A bug in Nodemailer
  • A bug in a plugin of Nodemailer (eg. issues with nodemailer-sendgrid)
  • Feature request
  • Looking for help to resolve some kind of problem with Nodemailer
  1. Are you listed as a sponsor of Nodemailer project (see Sponsors button above)?
  • Yes. Sponsors get priority support
  • No. Unless it is a bug in Nodemailer you might find support from public forums like StackOverflow.
  1. State your problem here:

I've got a pretty standard sendMail call here in an HTTP handler:

await transporter.sendMail({
  from: '...',
  to: '...',
  replyTo: {
    name,
    address,
  },
  subject: 'My Subject',
  text: message,
});

An address that contains line-breaks can add arbitrary SMTP headers. In my mind, the reason for using an address object is to avoid having to deal with escaping odd names and addresses (like would be necessary with `${name} <${address}>`); therefore, it is expected that name and address don't have to be sanitized. Otherwise, it's not just an address object, but an "address plus maybe arbitrary headers," which is not something anyone would want to have. I'm not sure what other fields are vulnerable. This was discovered by @lol768.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions