npm package
nodemailer
pkg:npm/nodemailer
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-14874 | — | < 7.0.11 | 7.0.11 | Dec 18, 2025 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | ||
| CVE-2025-13033 | Hig | 7.5 | < 7.0.7 | 7.0.7 | Nov 14, 2025 | A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m | |
| CVE-2021-23400 | — | < 6.6.1 | 6.6.1 | Jun 29, 2021 | The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object. | ||
| CVE-2020-7769 | — | < 6.4.16 | 6.4.16 | Nov 12, 2020 | This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. |
- CVE-2025-14874Dec 18, 2025affected < 7.0.11fixed 7.0.11
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
- affected < 7.0.7fixed 7.0.7
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m
- CVE-2021-23400Jun 29, 2021affected < 6.6.1fixed 6.6.1
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
- CVE-2020-7769Nov 12, 2020affected < 6.4.16fixed 6.4.16
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.