Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. nodemailer
  4. ›
  5. GHSA-9h6g-pr28-7cqp

GHSA-9h6g-pr28-7cqp: nodemailer ReDoS when trying to send a specially crafted email

January 31, 2024 (updated September 3, 2025)

A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.

References

  • gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
  • gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698
  • github.com/advisories/GHSA-9h6g-pr28-7cqp
  • github.com/nodemailer/nodemailer
  • github.com/nodemailer/nodemailer/commit/dd8f5e8a4ddc99992e31df76bcff9c590035cd4a
  • github.com/nodemailer/nodemailer/security/advisories/GHSA-9h6g-pr28-7cqp

Code Behaviors & Features

Detect and mitigate GHSA-9h6g-pr28-7cqp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 6.9.9

Fixed versions

  • 6.9.9

Solution

Upgrade to version 6.9.9 or above.

Impact 5.3 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Learn more about CVSS

Weakness

  • CWE-1333: Inefficient Regular Expression Complexity

Source file

npm/nodemailer/GHSA-9h6g-pr28-7cqp.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 04 Sep 2025 12:20:53 +0000.