Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] nodemailer vulnerable version #429

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[fix] nodemailer vulnerable version #429

wants to merge 1 commit into from

Conversation

CharlesArea
Copy link

nodemailer 4.0.1 有兩個比較嚴重的vulnerabilities,

  1. Command Injection CVE-2020-7769
    例如 -
-bi@example.com (-bi Initialize the alias database.)
-d0.1a@example.com (The option -d0.1 prints the version of Sendmail and the options it was compiled with.)
-Dfilename@example.com (Debug output file)
  1. HTTP Header Injection CVE-2021-23400
    例如 -
const userEmail = 'foo@bar.comrnSubject: foobar'; // imagine this comes from e.g. HTTP request params or is otherwise user-controllable
await transporter.sendMail({
from: '...',
to: '...',
replyTo: {
name: 'Customer',
address: userEmail,
},
subject: 'My Subject',
text: message,
});

建議從 4.0.1 升級到 6.7.2 / 6.6.1 (暫時沒有發現相容性的問題)

@CLAassistant
Copy link

CLAassistant commented Feb 18, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CharlesArea @CLAassistant