Node-red-nodes email has dependency "nodemailer": "~6.6.0",
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
After reviewing the vulnerability there is no need to change anything in smtp-server as the vulnerable parts of Nodemailer are not used and thus do not apply to smtp-server.
Hello,
Node-red-nodes email has dependency "nodemailer": "~6.6.0",
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
https://nvd.nist.gov/vuln/detail/CVE-2021-23400
Solution: Update Node.js Package: nodemailer to version 6.6.1 or later.