OsVault/npm/nodemailer
npm

nodemailer

15 known vulnerabilities · 0 critical · 3 high

GHSA-c7w3-x93f-qmm8

Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter

Published Mar 26, 2026
CVE-2025-14874

Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion

Published Dec 18, 2025
CVE-2025-13033

Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

Published Oct 7, 2025
GHSA-rcmh-qjqh-p98v

Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls

Published Dec 1, 2025
GHSA-268h-hp4c-crq3

Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection

Published Jun 15, 2026
GHSA-r7g4-qg5f-qqm2

Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception

Published Jun 15, 2026
GHSA-wqvq-jvpq-h66f

Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization

Published Jun 15, 2026
GHSA-vvjj-xcjg-gr5g

Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)

Published Apr 8, 2026
CVE-2020-7769HIGH

Command injection in nodemailer

Published May 10, 2021
CVE-2021-23400MEDIUM

Header injection in nodemailer

Published Dec 10, 2021
GHSA-jj37-3377-m6vv

Duplicate Advisory: Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

Published Nov 14, 2025
GHSA-p6gq-j5cr-w38f

Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message

Published Jun 18, 2026
CVE-2017-16072HIGH

nodemailer.js is malware

Published Aug 29, 2018
CVE-2017-16071HIGH

nodemailer-js is malware

Published Aug 29, 2018
MAL-2024-11149

Malicious code in noirxnodemailer (npm)

Published Nov 29, 2024
Check your entire dependency tree at onceRun dependency scan →