Skip to content

nodemailer ReDoS when trying to send a specially crafted email

Moderate severity GitHub Reviewed Published Jan 31, 2024 in nodemailer/nodemailer • Updated Feb 1, 2024

Package

npm nodemailer (npm)

Affected versions

<= 6.9.8

Patched versions

6.9.9

Description

Summary

A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop.
Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.

Details

Regex: /^data:((?:[^;];)(?:[^,])),(.)$/

Path: compile -> getAttachments -> _processDataUrl

Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/

Path: _convertDataImages

PoC

https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698

Impact

ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.

References

@andris9 andris9 published to nodemailer/nodemailer Jan 31, 2024
Published to the GitHub Advisory Database Jan 31, 2024
Reviewed Jan 31, 2024
Last updated Feb 1, 2024

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-9h6g-pr28-7cqp

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.