CVE-2021-23400: nodemailer < 6.6.1 - HTTP Header Injection Vulnerability - 6.6.1
RMutharaju opened this issue · comments
RMutharaju commented
Hello,
Node-red-nodes email has dependency "nodemailer": "~6.6.0",
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
https://nvd.nist.gov/vuln/detail/CVE-2021-23400
Solution:
Update Node.js Package: nodemailer to version 6.6.1 or later.
Andris Reinman commented
After reviewing the vulnerability there is no need to change anything in mailparser as the vulnerable parts of Nodemailer are not used and thus do not apply to mailparser.