Description
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
Remediation
References
https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
https://github.com/nodemailer/nodemailer/issues/1289
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737
https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
Related Vulnerabilities
CVE-2023-22477 Vulnerability in npm package mercurius
CVE-2021-25941 Vulnerability in npm package deep-override
CVE-2018-11693 Vulnerability in maven package org.webjars.npm:node-sass
CVE-2022-29172 Vulnerability in maven package org.webjars.npm:auth0-lock
CVE-2021-43812 Vulnerability in npm package @auth0/nextjs-auth0