andris9
commented
2 years ago After reviewing the vulnerability there is no need to change anything in smtp-server as the vulnerable parts of Nodemailer are not used and thus do not apply to smtp-server.
Closed RMutharaju closed 2 years ago
andris9
commented
2 years ago After reviewing the vulnerability there is no need to change anything in smtp-server as the vulnerable parts of Nodemailer are not used and thus do not apply to smtp-server.
Hello,
Node-red-nodes email has dependency "nodemailer": "~6.6.0",
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
https://nvd.nist.gov/vuln/detail/CVE-2021-23400
Solution: Update Node.js Package: nodemailer to version 6.6.1 or later.