CVE-2021-23400
Header injection in nodemailer
6.3
MEDIUM
CVSS 3.1
EPSS 0.54%
Description
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
How to fix CVE-2021-23400
To remediate CVE-2021-23400, upgrade the affected package to a fixed version below.
- Debian/node-nodemailer—upgrade to 6.4.17-3 or later
- —upgrade to 6.6.1 or later
Is CVE-2021-23400 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 6.4.17-3
- from 0, < 6.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |