Advisories for Npm/Smtp-Server package

2026

smtp-server's command parser memory exhaustion denial-of-service

smtp-server prior to v3.18.3 are vulnerable to unauthenticated memory exhaustion denial-of-service. smtp-server's command parser allows any remote client to consume server memory by sending data without newline characters. The server's _remainder buffer in SMTPStream._write grows without limit, leading to heap exhaustion, prolonged GC pauses that freeze the event loop, and in some cases, process crash. The _write method in lib/smtp-stream.js appends incoming TCP chunks to this._remainder in command mode. The …