GHSA-9h6g-pr28-7cqp: nodemailer ReDoS when trying to send a specially crafted email
(updated )
A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop.
Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
References
- gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
- gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698
- github.com/advisories/GHSA-9h6g-pr28-7cqp
- github.com/nodemailer/nodemailer
- github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a
- github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp
Code Behaviors & Features
Detect and mitigate GHSA-9h6g-pr28-7cqp with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →