Nodemailer SMTP Server Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Nodemailer SMTP server package, specifically in versions prior to 3.18.3. The issue arises in the command parser of the SMTPStream._write method within the lib/smtp-stream.js file. Remote attackers can exploit this vulnerability by sending data without newline characters, causing the server's _remainder buffer to grow uncontrollably. This unchecked growth leads to excessive memory consumption, prolonged garbage collection pauses that freeze the event loop, and, in some cases, a process crash.

Impact

Exploitation of this vulnerability allows for memory exhaustion, with a single connection capable of exhausting process memory. The effect multiplies linearly with additional connections, making the attack trivial to execute.

Reproduction

The vulnerability can be reproduced by setting up an SMTP server using the Nodemailer SMTP server package version prior to 3.18.3. Once the server is running, a client can connect and send data in chunks without including newline characters. This will cause the server's memory usage to increase as the _remainder buffer fills up, leading to memory exhaustion. The issue can be automated with a script that sends data at a rate the server cannot process, such as one that writes 64KB chunks as fast as possible.

Remediation

Users can upgrade to Nodemailer SMTP server version 3.18.3 or later, where this vulnerability has been fixed.