CVE-2021-23400: nodemailer < 6.6.1 - HTTP Header Injection Vulnerability - 6.6.1

Question

CVE-2021-23400: nodemailer < 6.6.1 - HTTP Header Injection Vulnerability - 6.6.1

RMutharaju opened this issue 3 years ago · comments

Hello,

Node-red-nodes email has dependency "nodemailer": "~6.6.0",

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

https://nvd.nist.gov/vuln/detail/CVE-2021-23400

Solution:
Update Node.js Package: nodemailer to version 6.6.1 or later.

Andris Reinman · Answer 1 · Mon Jul 12 2021 14:24:41 GMT+0800 (China Standard Time)

After reviewing the vulnerability there is no need to change anything in mailparser as the vulnerable parts of Nodemailer are not used and thus do not apply to mailparser.