Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/nodemailer@0.3.0
purl pkg:npm/nodemailer@0.3.0
Next non-vulnerable version 7.0.11
Latest non-vulnerable version 8.0.5
Risk 4.5
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-5va3-b6xm-s3dt
Aliases:
CVE-2020-7769
GHSA-48ww-j4fc-435p
Injection Vulnerability Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending emails.
6.4.16
Affected by 5 other vulnerabilities.
VCID-5w3y-3jd9-tug2
Aliases:
GHSA-9h6g-pr28-7cqp
GMS-2024-59
nodemailer ReDoS when trying to send a specially crafted email A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter `attachDataUrls` set, causing the stuck of event loop. Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.
6.9.9
Affected by 3 other vulnerabilities.
VCID-dm5c-jfy6-jyax
Aliases:
GHSA-46j5-6fg5-4gv3
Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rcmh-qjqh-p98v. This link is maintained to preserve external references. ## Original Description A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
7.0.11
Affected by 0 other vulnerabilities.
VCID-dyzb-n3f5-u3by
Aliases:
CVE-2025-13033
GHSA-mm7p-fcc7-pg87
Duplicate This advisory duplicates another.
7.0.7
Affected by 2 other vulnerabilities.
VCID-ggzv-yq4b-4qdk
Aliases:
CVE-2021-23400
GHSA-hwqf-gcqm-7353
Injection Vulnerability The package nodemailer is vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
6.6.1
Affected by 4 other vulnerabilities.
VCID-hx8n-ebjx-pfah
Aliases:
CVE-2025-14874
GHSA-rcmh-qjqh-p98v
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls A DoS can occur that immediately halts the system due to the use of an unsafe function.
7.0.11
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T06:32:06.346151+00:00 GitLab Importer Affected by VCID-dm5c-jfy6-jyax https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nodemailer/GHSA-46j5-6fg5-4gv3.yml 38.6.0
2026-06-06T06:27:43.629274+00:00 GitLab Importer Affected by VCID-hx8n-ebjx-pfah https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nodemailer/CVE-2025-14874.yml 38.6.0
2026-06-06T06:13:04.239480+00:00 GitLab Importer Affected by VCID-dyzb-n3f5-u3by https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nodemailer/CVE-2025-13033.yml 38.6.0
2026-06-06T04:33:53.777341+00:00 GitLab Importer Affected by VCID-5w3y-3jd9-tug2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nodemailer/GHSA-9h6g-pr28-7cqp.yml 38.6.0
2026-06-06T00:47:16.859972+00:00 GitLab Importer Affected by VCID-ggzv-yq4b-4qdk https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nodemailer/CVE-2021-23400.yml 38.6.0
2026-06-04T20:40:56.614974+00:00 GitLab Importer Affected by VCID-5va3-b6xm-s3dt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/nodemailer/CVE-2020-7769.yml 38.6.0