#VU125300 CRLF injection in nodemailer
Published: April 8, 2026
Vulnerability identifier: #VU125300
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
nodemailer
nodemailer
Software vendor:
nodemailer
nodemailer
Description
The vulnerability allows a remote user to inject arbitrary SMTP commands.
The vulnerability exists due to improper neutralization of CRLF sequences in the transport name option in lib/smtp-connection/index.js when constructing EHLO, HELO, or LHLO commands. A remote privileged user can supply a specially crafted name value containing CRLF sequences to inject arbitrary SMTP commands.
The issue occurs during SMTP connection initialization before the application's intended message commands are processed.
Remediation
Install security update from vendor's website.