js · nodemailerHeads-up
Nodemailer OAuth2 TLS Certificate Verification Disabled
Nodemailer's internal HTTPS fetch client disables TLS certificate verification via rejectUnauthorized: false in lib/fetch/index.
What changed
Nodemailer's internal HTTPS fetch client disables TLS certificate verification via rejectUnauthorized: false in lib/fetch/index.js, causing OAuth2 token requests to trust invalid or self-signed certificates.
Who it affects
Applications using Nodemailer with OAuth2 authentication, where an attacker in a machine-in-the-middle position can intercept OAuth credentials (client_secret, refresh_token, access tokens).
What to do today
Upgrade Nodemailer to a patched version or override the TLS options to enforce certificate verification.
The trail
Collected→
Audited→
Written→
Published