CVE-2021-23400

🔶 medium

Summary

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

CVSS Score

6.3

Medium

EPSS Score

0.5

Exploit Probability

Published Date

2021-06-29

First Seen: 2026-01-05

Last Modified 2024-11-21

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE IDs (Weakness Types)

CWE-74

🔗 References 8

https://github.com/nodemailer/nodemailer/commit/7e02...

Patch Third Party Advisory

https://github.com/nodemailer/nodemailer/issues/1289

Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737

Exploit Patch Third Party Advisory

https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415

Exploit Patch Third Party Advisory

https://github.com/nodemailer/nodemailer/commit/7e02...

Patch Third Party Advisory

https://github.com/nodemailer/nodemailer/issues/1289

Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737

Exploit Patch Third Party Advisory

https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415

Exploit Patch Third Party Advisory

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
nodemailer	nodemailer	Affected	< 6.6.1

🔗 Related CVEs 3

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2025-14874	⚠️ high	7.5	0.1	A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header t...	2025-12-18
CVE-2025-13033	⚠️ high	7.5	0.1	A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient em...	2025-11-14
CVE-2020-7769	⚠️ high	8.6	0.5	This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary comm...	2020-11-12

These CVEs affect the same products