Lettermint Node.js SDK Email Property Leakage Vulnerability

A vulnerability exists in the Lettermint Node.js SDK, specifically in versions prior to 1.5.1. The issue arises because email properties, including recipient addresses, subject lines, and attachments, are not cleared between sends when the same client instance is used for multiple .send() calls. This oversight can lead to unintended sharing of content or recipient information. The vulnerability is particularly relevant for applications that send emails to different recipients in succession, such as password reset notifications or other transactional emails.

Impact

The vulnerability allows for the unintentional leakage of email content and recipient addresses to unintended parties, which could disrupt communication and cause privacy concerns.

Reproduction

To reproduce this vulnerability, send multiple emails in sequence using the same client instance without resetting the email properties. The first email can be sent with all properties set, including attachments. When a second email is sent to a different recipient with only the required properties, the email may still include properties from the first email, such as attachments. This can be verified by checking the email received by the second recipient, which may contain unintended content or information.

Remediation

Users are advised to upgrade to version 1.5.1 or later. If an immediate upgrade is not possible, a new client instance can be created for each email sent, ensuring that no previous state is carried over.