js · nodemailerHeads-up
Nodemailer: Security bypass in jsonTransport and attachDataUrls
Nodemailer's jsonTransport and attachDataUrls paths bypass disableFileAccess and disableUrlAccess security controls, allowing local file reads and outbound HTTP
What changed
Nodemailer's jsonTransport and attachDataUrls paths bypass disableFileAccess and disableUrlAccess security controls, allowing local file reads and outbound HTTP requests even when those options are enabled.
Who it affects
Applications using jsonTransport for serialization or queueing, or using attachDataUrls, while relying on disableFileAccess/disableUrlAccess to restrict message content resolution.
What to do today
Review your use of jsonTransport and attachDataUrls; if you rely on disableFileAccess/disableUrlAccess, either avoid jsonTransport or apply a workaround until a patch is released.
The trail
Collected→
Audited→
Written→
Published