Nodemailer Denial-of-Service Vulnerability via Crafted Email Address Header

A denial-of-service vulnerability has been identified in Nodemailer, allowing for infinite recursion in the address parser. This issue arises when the parser processes a specially crafted email address header that includes nested group structures, which are not permitted by RFC 5322. The lack of a recursion depth limit causes the parser to repeatedly call itself for each nested group, leading to a stack overflow and immediate termination of the process. This vulnerability affects Nodemailer versions through 7.0.10.

Impact

Exploitation of this vulnerability causes the Node.js process to crash, terminating the application using Nodemailer. In environments managed by process managers like PM2 or Forever, this can create a loop of continuous restarts, exhausting system resources.

Reproduction

The vulnerability can be reproduced by sending an email through Nodemailer with a 'to' header that includes a deep nesting of groups, using colons to separate the group identifiers. This can be automated with a script that constructs such a header and sends it via Nodmailer's email transport.

Remediation

Users can upgrade to Nodemailer version 7.0.11 or later, where this vulnerability has been patched.