js · nodemailerHeads-up
Nodemailer List-* Header Injection via Unsanitized Comments
Nodemailer's List-* header construction from caller-provided list comments does not sanitize CR/LF characters, allowing header injection.
What changed
Nodemailer's List-* header construction from caller-provided list comments does not sanitize CR/LF characters, allowing header injection.
Who it affects
Applications using Nodemailer that allow lower-privileged or unauthenticated users to influence list.*.comment fields.
What to do today
Update Nodemailer to a patched version once available, or sanitize list comments by removing CR/LF characters before passing to sendMail.
The trail
Collected→
Audited→
Written→
Published