CVE-2021-23400
MEDIUM6.3EPSS 0.54%Header injection in nodemailer
Published: 12/10/2021Modified: 4/28/2026
Description
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
Affected packages (2)
- Debian/node-nodemailerfrom 0, < 6.4.17-3
- npm/nodemailerfrom 0, < 6.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23400
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-23400
- WEBhttps://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
- WEBhttps://github.com/nodemailer/nodemailer/issues/1289
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737
- WEBhttps://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415