VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 29, 2021· Updated Sep 16, 2024

HTTP Header Injection

CVE-2021-23400

Description

Nodemailer before 6.6.1 allows HTTP Header Injection via unsanitized newlines in user-supplied address objects.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nodemailer before 6.6.1 allows HTTP Header Injection via unsanitized newlines in user-supplied address objects.

Vulnerability

The nodemailer package before version 6.6.1 is vulnerable to HTTP Header Injection. When an address object (e.g., replyTo) contains unsanitized user input with newlines (\r\n), an attacker can inject arbitrary SMTP headers [1], [2]. This affects all versions prior to the fix [1].

Exploitation

An attacker can exploit this by providing a crafted email address containing newlines and carriage returns, for example as part of an HTTP request parameter [3]. No authentication is required if the application passes user input directly into the address object. The attacker can inject headers like Subject or other SMTP headers [2].

Impact

Successful exploitation allows an attacker to inject arbitrary SMTP headers, potentially leading to email spoofing, phishing, or other email-related attacks [3]. The impact is limited to email headers; the message body may also be affected if the injection allows header continuation.

Mitigation

Upgrade to nodemailer version 6.6.1 or higher, which sanitizes the input [1], [3]. The fix was committed in the nodemailer repository [1]. There is no known workaround.

References
  1. NVD - CVE-2021-23400
  2. Header injection vulnerability in address object
  3. Snyk Vulnerability Database | Snyk

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nodemailernpm
< 6.6.16.6.1

Affected products

2

Patches

1
7e02648cc8cd

v6.6.1

https://github.com/nodemailer/nodemailerAndris ReinmanMay 23, 2021via ghsa
commit
5 files changed · +37 11
  • CHANGELOG.md+4 0 modified
    @@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 6.6.1 2021-05-23
+
+-   Fixed address formatting issue where newlines in an email address, if provided via address object, were not properly removed. Reported by tmazeika (#1289)
+
 ## 6.6.0 2021-04-28
 
 -   Added new option `newline` for MailComposer
  • examples/mailcomposer.js+3 1 modified
    @@ -9,7 +9,9 @@ const mailOptions = {
         from: 'Daemon <deamon@kreata.ee>',
         to: 'mailer@kreata.ee, Mailer <mailer2@kreata.ee>'
     },
-    text: 'Test\n 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ö\r\nsage',
+    text: `Alice was beginning to get very tired of sitting by her sister on the bank, and of having nothing to do: once or twice she had peeped into the book her sister was reading, but it had no pictures or conversations in it, 'and what is the use of a book,' thought Alice 'without pictures or conversations?'
+
+So she was considering in her own mind (as well as she could, for the hot day made her feel very sleepy and stupid), whether the pleasure of making a daisy-chain would be worth the trouble of getting up and picking the daisies, when suddenly a White Rabbit with pink eyes ran close by her.`,
     newline: '\r\n'
 };
  • lib/mime-node/index.js+27 7 modified
    @@ -1147,9 +1147,9 @@ class MimeNode {
                 address.address = this._normalizeAddress(address.address);
 
                 if (!address.name) {
-                    values.push(address.address);
+                    values.push(address.address.indexOf(' ') >= 0 ? `<${address.address}>` : `${address.address}`);
                 } else if (address.name) {
-                    values.push(this._encodeAddressName(address.name) + ' <' + address.address + '>');
+                    values.push(`${this._encodeAddressName(address.name)} <${address.address}>`);
                 }
 
                 if (address.address) {
@@ -1158,9 +1158,8 @@ class MimeNode {
                     }
                 }
             } else if (address.group) {
-                values.push(
-                    this._encodeAddressName(address.name) + ':' + (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim() + ';'
-                );
+                let groupListAddresses = (address.group.length ? this._convertAddresses(address.group, uniqueList) : '').trim();
+                values.push(`${this._encodeAddressName(address.name)}:${groupListAddresses};`);
             }
         });
 
@@ -1174,13 +1173,17 @@ class MimeNode {
      * @return {String} address string
      */
     _normalizeAddress(address) {
-        address = (address || '').toString().trim();
+        address = (address || '')
+            .toString()
+            .replace(/[\x00-\x1F<>]+/g, ' ') // remove unallowed characters
+            .trim();
 
         let lastAt = address.lastIndexOf('@');
         if (lastAt < 0) {
             // Bare username
             return address;
         }
+
         let user = address.substr(0, lastAt);
         let domain = address.substr(lastAt + 1);
 
@@ -1189,7 +1192,24 @@ class MimeNode {
         // 'jõgeva.ee' will be converted to 'xn--jgeva-dua.ee'
         // non-unicode domains are left as is
 
-        return user + '@' + punycode.toASCII(domain.toLowerCase());
+        let encodedDomain;
+
+        try {
+            encodedDomain = punycode.toASCII(domain.toLowerCase());
+        } catch (err) {
+            // keep as is?
+        }
+
+        if (user.indexOf(' ') >= 0) {
+            if (user.charAt(0) !== '"') {
+                user = '"' + user;
+            }
+            if (user.substr(-1) !== '"') {
+                user = user + '"';
+            }
+        }
+
+        return `${user}@${encodedDomain}`;
     }
 
     /**
  • package.json+2 2 modified
    @@ -1,6 +1,6 @@
 {
     "name": "nodemailer",
-    "version": "6.6.0",
+    "version": "6.6.1",
     "description": "Easy as cake e-mail sending from your Node.js applications",
     "main": "lib/nodemailer.js",
     "scripts": {
@@ -31,7 +31,7 @@
         "libbase64": "1.2.1",
         "libmime": "5.0.0",
         "libqp": "1.1.0",
-        "mocha": "8.3.2",
+        "mocha": "8.4.0",
         "nodemailer-ntlm-auth": "1.0.1",
         "proxy": "1.0.2",
         "proxy-test-server": "1.0.0",
  • .travis.yml+1 1 modified
    @@ -4,7 +4,7 @@ node_js:
     - 10
     - 12
     - 14
-    - 15
+    - 16
 notifications:
     email:
         - andris@kreata.ee

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.